Skip to Content

How can I tell if a SharePoint email is actually a phishing scam?

By: Author Alex Lim

Posted on

Categories Cybersecurity

Home » Cybersecurity » How can I tell if a SharePoint email is actually a phishing scam?

Why are legitimate Mimecast links redirecting me to financial fraud sites?

Security researchers recently identified a sophisticated financial fraud campaign targeting the corporate sector. Over the last two weeks, cybercriminals dispatched approximately 40,000 emails disguised as notifications from Microsoft SharePoint and DocuSign. These attacks successfully bypassed standard security filters by abusing the infrastructure of Mimecast, a widely trusted email security service.

This campaign targets organizations with high volumes of transactional documentation. The attackers rely on “social engineering” rather than malware code; they manipulate human trust in familiar business tools to steal credentials and financial data.

The Mechanism: Abusing Mimecast URL Rewriting

The core innovation of this campaign is the manipulation of the Mimecast Protect service. Mimecast uses a URL rewriting feature to scan links for safety. When a user sees a link starting with m.mimecastprotect.com, they typically assume the link has been scanned and verified.

Attackers generated these trusted links to mask their malicious destinations. By routing traffic through Mimecast’s legitimate infrastructure, the phishing emails evade automatic detection systems that whitelist Mimecast domains.

To further lower victim defenses, the emails mimic authentic administrative notifications:

  • Visual Mimicry: The emails utilize official Microsoft and Office headers, footers, and logos.
  • Deceptive Senders: Display names appear as “X via SharePoint,” “eSignDoc,” or “SharePoint Online.”
  • Contextual Triggers: The content references invoices, contracts, or urgent document signatures.

Note on Vendor Security: Mimecast has clarified that this incident does not stem from a vulnerability in their software. Rather, attackers are misusing a legitimate feature. Mimecast’s internal detection modules still block these malicious URLs for their own direct customers. The risk primarily exists for external recipients who trust the Mimecast branding but do not have the same protections in place.

The Stealth Variant: DocuSign and Tokenized Redirects

While the primary campaign uses an “open redirect” method—where the final malicious URL might be visible in the query string—a smaller, distinct operation targets DocuSign users with higher sophistication.

This variant hides the destination completely. The attack chain flows as follows:

  1. Bitdefender GravityZone: The user clicks a link routed through this security domain.
  2. Intercom Tracking: The traffic moves through Intercom’s click-tracking service.
  3. Tokenized Redirect: The final landing page is concealed behind a token, making the destination invisible to the user until the page loads.

This layering technique renders the DocuSign variant nearly invisible to standard inspection methods.

Sector Targeting and Global Impact

Telemetry data indicates a strategic focus on industries that routinely exchange high-value contracts. Consulting, technology, real estate, and construction sectors are the primary targets because their employees are conditioned to open file-sharing notifications without hesitation.

Regional Distribution of Attacks:

  • USA: 34,057 (Primary target)
  • Europe: 4,525
  • Canada: 767
  • Asia: 346
  • Australia: 267
  • Middle East: 256

Data reflects the location of security infrastructure, which generally correlates with, but may not perfectly match, victim location.

Advisory: Strengthening Your Defense Protocols

The success of this campaign relies on the user’s habit of clicking “trusted” links. Since the technical indicators (like the URL domain) appear legitimate, you must shift your verification strategy to context and behavior.

Immediate Actions for Teams:

  1. Verify, Don’t Trust: Treat every “SharePoint” or “DocuSign” notification as suspicious if you were not explicitly expecting a document.
  2. Manual Navigation: Do not click the link in the email. Open your browser, navigate to the service (e.g., logging into your DocuSign portal directly), and check for pending documents there.
  3. Inspect Redirects: Hover your cursor over links. If a DocuSign email routes through a complex chain of third-party security domains unrelated to your organization, report it.
  4. Scrutinize Aesthetics: Look for minor formatting errors. Low-resolution logos or inconsistent font sizes often indicate a forgery.
  5. Update Training: Alert your staff specifically about “Trusted Infrastructure Abuse.” Employees need to know that a “safe” link from a known security vendor can still lead to a malicious site if the vendor’s tools are being manipulated.

This attack demonstrates that cybercriminals are moving away from easily detected malware and toward manipulating the very tools businesses use for security. Continuous vigilance is your most effective countermeasure.