When "Update OneDrive" is clicked, the download prompt is as below.
The problem is the origin of the file: https://oneclient.sfx.ms
sfx.ms IS a domain registered to the Microsoft Corporation - GOOD
oneclient.sfx.ms is obviously a sub-domain of a legitimate Microsoft domain. - GOOD
This is where things get strange.
oneclient.sfx.ms is hosted on a server in Mazowieckie, Poland (PL) - QUESTIONABLE
Follow this link to see for yourself: http://www.herdprotect.com/domain-oneclient.sfx.ms.aspx
If you enter https://oneclient.sfx.ms into your browser's address bar or simply click the link provided, you're immediately redirected to: https://onedrive.live.com/about/en-us/ which is very much a well known legit site controlled by Microsoft.
The thing is... ANYONE can redirect a website to any other site. For this article, we created:
If you click the above link it will open a new browser tab/window and redirect you to https://onedrive.live.com/about/en-us/. This is just to show how simple it is to do by ANYONE.
Ok. Let's, for the sake of argument, say we're just being paranoid.
(In our opinion, it is "Always better to be safe aka paranoid, than Sorry".)
The next unusual thing is the SSL certificate that https://oneclient.sfx.ms is using. It is a "wild-card certificate". There are many legit uses for this type of certificate. Personally, I have never seen or heard of Microsoft using a wild-card certificate for a site that the general internet is supposed to access.
It is difficult to see the SSL certificate details in a regular browser because the redirect happens to fast. Here is a link to a third party website the exposes the details of the wild-card SSL cert. https://www.sslshopper.com/ssl-checker.html#hostname=oneclient.sfx.ms This information is available to anyone accessing any SSL website.
After some basic "googling" for confirmation on the legitimacy of https://oneclient.sfx.ms/, we found this thread on a Microsoft legitimate site. A confirmed Microsoft employee, Sudheendra S, (confirmed by the blue and white "Microsoft" under his name) in true "Outsourced Indian Tech Support fashion" (Click the preceding link for a laugh example), evades answering the simple question: Is this "OneDrive update is required - real or bogus?"
At this time is remains unclear if this is a legitimate pop-up from Microsoft or not. Typically, OneDrive updates automatically without the requirement of "Manually Downloading" an update.
Our recommendation is that:
- You DO NOT ALLOW this application to run.
- Immediately update your antivirus software and perform a full system scan.
- Have your antivirus run a boot-time scan of your system as well.
Our contacts as Microsoft haven't given a straight answer as to the legitimacy of the update either. We'll update this article as we learn more.