Kaspersky Lab researchers have identified a fresh phishing campaign that exploits SharePoint servers to harvest login credentials for multiple mail services, including Yahoo, AOL, Outlook, and Office 365. The findings were shared with analysts at a Canadian and U.S. security outlet.
The operation targets employees across organizations worldwide, including entities in Russia. Attackers dispatch phishing notifications that appear to come from SharePoint, a familiar collaboration tool that often bypasses typical spam filters. In many workplaces, SharePoint is used daily, which makes the lure more convincing. During the last winter, researchers observed more than 1,600 emails aligned with this scheme.
The core danger lies in how the attackers exploit SharePoint’s built‑in notification system. Microsoft allows users to share files on corporate SharePoint servers with external participants who do not have direct access. By gaining access to a colleague’s SharePoint account through a similar phishing approach, the attackers can trigger legitimate‑looking alerts that carry malicious links. This blend of familiar branding and trusted workflow makes the deception particularly effective.
When a recipient clicks the link, they are directed to a SharePoint page where a OneNote file opens as if it were a routine notification. Within the file, a prominent icon and an apparently extra step to download data lure the user further. In reality, the user becomes the target of a credential harvesting attempt masked as a harmless action.
Security experts warn that this phishing model is especially dangerous because the notifications originate from a legitimate corporate service. Red flags are easy to overlook: the file’s sharer is unknown, the file type may be unfamiliar, and the explanation of what is being posted or why it is shared may feel unclear. The download link often redirects to a third‑party site unrelated to the victim’s organization or to SharePoint. The page may mimic OneDrive and other Microsoft services, which can reinforce the illusion of authenticity. This analysis comes from researchers at Kaspersky Lab and industry spam analysts who describe this as a sophisticated social engineering tactic.
Earlier reporting indicated that a vulnerability in Microsoft Outlook could enable password theft via a single email, underscoring how email and collaboration tools can become attack vectors when misused.