Is OneDrive Malware?

Question

OneDrive (1TB) came as a feature of a home Microsoft 365 subscription, that was offered to our firm at a discount. This is probably third year that I subscribe to Microsoft 365 and over that time I found OneDrive quite handy, and I developed a method to organize my data that fit what I needed.

I use a MacBook Pro, with an internal hard drive, let's call it MacHD, and a fast external drive, which I'll call ExternalHD. The root of OneDrive is a directory in the external drive: /ExternalHD/OneDrive. Currently:

ExternalDH capacity = 2 TB, with ~1.3 TB being used

OneDive service = 1 TB, with ~ 800 GB being used

All data under /ExternalHD/OneDrive is accessible through the external drive, of course.There is a subtree of the directories that I also keep locally. Files outside that 'local' subtree are stored only on the cloud. Files that are not under directoty /ExternalHD/OneDrive are local only. So there are 500 GB on both local and cloud drives, and 300 GB cloud only.

That worked without a glitch for more than two years. Until last night... I was working with some files in the ExternalHD, and I noticed that directory OneDrive had been replaced with a sym link, and all files under it were nowhere to be found, not even in the Trash file. The OneDrive icon was indicating that it was transferring files. Looking at the location that the sym link was pointing, I figured what was happening:

OneDrive was tranferrng itself from the extrernal hard drive to the main internal drive in a hidden directory /home/Library/CloudStorage/OneDrive-Personal. I did not start this process; I was not asked or at least notified.

To achieve that:

1. It permanently deleted 500 GB of data that was stored locally, in the external drive
2. It used my internet connection to download 500 GB of data from the cloud to the Mac internal drive. 500 GB over a home internet connection.
3. It wrote 500 GB of data in my machine's internal drive. There was no action on my end to trigger this, it literally happened out of the blue. As a service OneDrive should not even know about the intrernal drive, as I never linked data from the internal drive witn the app.

Each of the highlighted actions can be classified as a malicous attack. Apart from viruses and malware, this was the first time since 1984 that I got my first PC that I see software literally attacking the users' equipment, and todo so at random without any involvement from or any warning to the user.

I marked the post as a question. An honest and specific explanation on the trigger of this behavior would be appreciated. The insident could have resulted in data loss, corrupt internal drive (if it had less than 500 GB free space), or suspension of internet service (500 GB download does raise flags with the ISP).

Answer 1

A couple of things, 1) 365 Family/Personal is not licensed for business use

2. The default installation of Office 365 and its OneDrive component uploads all the contents of the PC  \My Documents\ folders to OneDrive, (syncs) and there will be a OneDrive folder in File Explorer containing all the OneDrive content. And in Word etc the default Save location is set to OneDrive. (Some 'name' changes on a Mac)

1. Good catch, so to be more precise: The discount for the Home version of Microsoft 365 was offered to the *employees* of our firm, for personal use. The reason I mentioned this was to explain that I did not have a need for personal cloud space, I got OneDrive as part of MS 365, I tried it, I liked it, and then I described the way that I organized my data, locally and on the cloud, which was based on how OneDrive used to work up to 2 days ago, for more than two years now.
2. Irrelevant. Microsoft publishes online help on how to move OneDrive from that location to an external drive. I followed those instructions, when I moved mine two years ago. Now what? How does this explain what happened?

Answer 2

Please put back my post in the personal/home category. All what I describe was related to PERSONAL/HOME: equipment, data, internet connection, MS 365 license and version of the apps.

Answer 3

Hello, YAK_NYC

Please let us now if this information answered your question or if you need further assistance.

Regards,

Igor

Answer 4

Hello, YAK_NYC

We’re terribly sorry for this issue.

Per the description I understand that OneDrive that was stored on external drive has changed the path location to your internal drive that caused problems.

It happened because OneDrive runs a new Files On-Demand experience on macOS 12.1 and later so it caused OneDrive's path move from [username] > OneDrive to a new location in Library > Cloud Storage > OneDrive. For your reference Missing files and autosave issues with OneDrive on macOS (microsoft.com)

So to address your concern about the situation, we’d suggest you kindly leave a feedback: Right click on OneDrive icon > Send Feedback.

We apologize for the inconvenience and highly appreciate your understanding.

Best Regards,

Igor

Answer 5

A couple of things, 1) 365 Family/Personal is not licensed for business use

2. The default installation of Office 365 and its OneDrive component uploads all the contents of the PC  \My Documents\ folders to OneDrive, (syncs) and there will be a OneDrive folder in File Explorer containing all the OneDrive content. And in Word etc the default Save location is set to OneDrive. (Some 'name' changes on a Mac)