'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
a shared folder suddenly appears on your computer and starts syncing unknown files
Short answer
Pause or stop the sync first, then confirm which account/service is doing it before you open anything. If you think your account was accessed, change passwords from a different device.
Do not do these things
- Don’t open the unknown files “to see what they are” (especially shortcuts, installers, or documents asking you to enable macros).
- Don’t drag the folder into other folders, rename it repeatedly, or “tidy up” while it’s still syncing (you can accidentally spread or delete things).
- Don’t “fix” it by copying the unknown files elsewhere (that can create more copies and more syncing).
- Don’t click links from unexpected “shared folder” emails or messages to “verify” access.
- Don’t sign out of everything in a panic before you’ve noted which account/service is involved (you may need that info).
What to do now
-
Stop the syncing immediately (buy time).
- If you see a sync app icon (e.g., OneDrive, Dropbox, Google Drive) in the taskbar/menu bar, pause syncing or quit the app.
- If the syncing won’t pause, disconnect from the internet (Wi-Fi off / unplug Ethernet) to stop new downloads while you check safely.
-
Identify which service created the folder (don’t guess).
- Look at the folder location/name (common clues: “OneDrive”, “Dropbox”, “Google Drive”, “iCloud Drive”, “SharePoint”, “Shared”, “Company name”).
- Open the sync app’s Settings/Account screen and note:
- the signed-in email/account
- whether it says work/school vs personal
- any listed synced libraries/shared folders
-
If it’s OneDrive/SharePoint: stop syncing that library/folder (local disconnect).
- In OneDrive settings, use the option to stop syncing the specific folder/library (this disconnects that library from your computer).
- If you’re in a workplace setup, it may be a SharePoint library that was added accidentally or by policy—stopping sync locally is the safest first move.
-
Check for obvious “how did this happen?” signals (without opening the files).
- Search your email (and deleted items) for terms like “shared”, “OneDrive”, “SharePoint”, “Dropbox”, “Google Drive”, “invited” around the time it started.
- In the cloud service’s web view (from a browser), look for Recent activity / Sharing to see who shared it and when.
-
If you suspect account compromise: secure the account from a different device.
- From a phone or another computer you trust:
- change the password for the cloud account involved
- turn on two-step verification if it’s not already on
- sign out of other sessions / remove unknown devices (most services have a “devices” or “security” page)
- From a phone or another computer you trust:
-
Do a basic safety check on this computer before resuming sync.
- Run your operating system’s built-in security scan and ensure updates are current.
- If this is a work device (or has work access), tell your IT/admin team now with what you observed (folder name, account email, time it started, screenshots). Ask them whether it’s a legitimate shared library or an incident.
-
If money loss, identity misuse, or fraud is involved: report it (UK).
- If the crime is happening now or you’re at immediate risk, call 999.
- Otherwise, for cyber crime/fraud affecting England, Wales, or Northern Ireland, report via Report Fraud (online or by phone).
- If you’re in Scotland (or it happened there), contact Police Scotland via 101.
What can wait
- You do not need to decide right now whether to delete the folder permanently.
- You do not need to sort or clean up the downloaded files today.
- You do not need to confront anyone who “shared” it until you’ve confirmed whether it’s legitimate (work policy vs compromise).
- You do not need to reinstall everything as a first step unless an IT/security professional advises it.
Important reassurance
A sudden “shared” or “synced” folder often comes from a legitimate change (work/school SharePoint library, a second account signed in, or an accidental share). Pausing sync and checking the signed-in account is the calm, reversible way to regain control.
Scope note
These are first steps to stop further syncing, avoid opening risky files, and gather enough information to escalate safely. Later steps (like deeper malware checks, restoring files, or formal incident handling) can come after you’ve stabilised.
Important note
This is general information, not legal or professional IT advice. If you’re in a workplace environment, follow your organisation’s security process and involve IT/security early—especially if the unknown files could include personal or confidential data.
Additional Resources
- https://support.microsoft.com/en-gb/office/how-to-cancel-or-stop-sync-in-onedrive-4885c27e-3d89-4d69-be75-2646c71367d3
- https://support.microsoft.com/en-gb/office/turn-off-disable-or-uninstall-onedrive-f32a17ce-3336-40fe-9c38-6efb09f944b0
- https://www.reportfraud.police.uk/reporting-a-fraud/
- https://www.gov.uk/government/news/report-fraud-new-service-from-city-of-london-police
- https://www.gov.uk/report-suspicious-emails-websites-phishing
- https://www.ncsc.gov.uk/section/respond-recover/ml-malware