Socwise logo
close
Tibor Csavdári
09/18/2025

Fraudsters attack with a new method: Microsoft SharePoint-based phishing

Tibor Csavdári
Phishing via Microsoft SharePoint is on the rise, using trusted accounts to trick users. Discover how these attacks work, what red flags to spot, and the steps to protect your company from data breaches and account compromise.

Recently, there has been a significant increase in the number of phishing emails exploiting the Microsoft SharePoint platform. These attacks are particularly dangerous because they often come from known partners or colleagues with whom you have a working relationship, so they may appear trustworthy at first glance. Below, we explain in detail how these attacks work, what to look out for, and what to do if you receive a suspicious email.

How does SharePoint-based phishing work?

Phishing emails contain a seemingly genuine Microsoft SharePoint sharing link that provides access to a document or folder. After opening the link, the system asks the user to identify themselves by entering their username and password, and then requests the second step of multi-factor authentication (MFA) (authenticator app). So far, this process is identical to accessing a genuine SharePoint share, making it difficult to detect the scam.

The danger begins when, after authentication, the system asks for identification again, or when the shared file contains an additional link that also requires authentication. These second-round requests no longer come from Microsoft systems but attempt to obtain data through a phishing site. If you click on such a link, you should immediately close the browser window and notify the IT operations team so they can take the necessary steps (password change, MFA re-registration).

Why is this attack particularly dangerous?

This type of phishing is extremely sophisticated because:

  • Uses real SharePoint links: Attackers exploit a legitimate Microsoft SharePoint environment, so the links appear safe at first glance.
  • Use of compromised accounts: Attackers often use accounts belonging to colleagues or partners who have been hacked previously. This way, the share comes from a familiar name, which reduces suspicion.
  • Possibility of internal attacks: Even within a company, a phishing link may be sent from a hacked colleague's account. Therefore, it is particularly important to carefully check any unusual shares.

What should we pay attention to, and what should we do?

  • Verify the sender: If you receive a sharing link from a colleague or partner with whom you do not have daily contact, be sure to contact them (e.g., by phone or other channel) to verify that they actually sent the link.
  • Pay attention to repeated authentication requests: If, after opening the SharePoint link, the system repeatedly asks for authentication, or if the shared file contains additional links that require authentication, immediately stop the operation and close the browser.
  • Technical details: Phishing sites often use URLs that are very similar to official Microsoft links (e.g., login.microsoft0nline.com instead of login.microsoftonline.com). Always check the URL and avoid suspicious domains. Attackers may also use man-in-the-middle (MITM) techniques, where authentication data is stolen via an intermediate server.
  • Immediate actions to take in case of a suspicious link:
    • Do not re-enter your login details! If you have already entered your username, password, or MFA code, you must notify the IT operations team immediately.
    • Request a password change and MFA re-registration.
    • If the link was sent by a colleague and it turns out that they were not the actual sender, both parties must immediately notify IT operations so that they can manage the compromised account and recall the work if necessary.

How can we protect ourselves?

  • Use strong, unique passwords, and never use the same password in multiple places.
  • Keep your MFA settings up to date and watch out for unusual times for authenticator app or SMS code requests.
  • Regularly update your browser and devices to reduce the chance of security vulnerabilities being exploited.
  • If you are unsure, it is best not to open any links until you have checked with the sender or the operator.

Why is this important?

The goal of phishing is not only to hack individual accounts, but also to compromise the entire corporate system! A hacked account can be a starting point for further attacks, such as leaking confidential data or deceiving other colleagues. Quick response and caution can help minimize damage.

If you notice any suspicious emails or links, you must immediately report them to the company's IT operations and/or SOC team!

Contact form for blog articles

Are you interested in this solution?

Fill out the form and we will contact you soon.

SOCWISE © 2022 ALL RIGHTS RESERVED  Business value protection in expert hands.
crossmenu
SOCWISE
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.