Beware the “Trusted” Trap: How SharePoint Phishing Nearly Caught One of Our Clients

Published by Eric Bouvier, EJB Technology Support, LLC

On July 15, 2025, one of our clients forwarded me a concerning email incident involving one of their staff.

It came from a trusted business partner, included a legitimate-looking SharePoint link, and even required an access code. For most people, it would have seemed perfectly safe.

But it was a phishing attack—and it nearly compromised the user.

How SharePoint Phishing Works

Traditional phishing attacks often use obviously fake login pages or suspicious links. But attackers are getting smarter. A growing tactic is SharePoint phishing, which leverages legitimate Microsoft infrastructure to trick victims.

According to a recent CyberProof report,

“Attackers are increasingly leveraging SharePoint-themed phishing to exploit user trust in Microsoft platforms. By disguising malicious links as legitimate SharePoint file shares, threat actors trick users into clicking on URLs that lead to credential harvesting pages or malware downloads.”

Why is this so dangerous?

  • Trusted Brand: People naturally trust Microsoft and SharePoint links.

  • Bypasses Security Filters: Security tools often let these links through because they’re hosted on Microsoft domains.

  • Dynamic Pages: Attackers create time-limited, custom pages that evade detection.

  • Compromised Accounts: Often, these attacks come from legitimate, hacked accounts, making them look authentic.

What Happened to Our Client

In this incident, one of our client’s staff received an email from an insurance partner whose account had been compromised. The email contained a SharePoint link that:

  • Required an access code

  • Appeared fully legitimate

  • Was hosted on a real Microsoft domain

Thankfully, the client’s environment isn’t tied to Microsoft 365 for email, and their users’ email passwords are secured through Bitwarden and app-specific credentials. This security design prevented any immediate compromise.

However, it’s easy to imagine how this could have escalated if the user had:

  • Entered personal or work credentials into a fake login page

  • Downloaded malicious files posing as documents

  • Provided attackers with an entry point into company systems

What To Do If You Receive a Suspicious SharePoint Link

If you ever get a SharePoint link unexpectedly—especially from someone who doesn’t usually share files that way—pause before clicking.

Here’s what you should do:

Verify the sender directly. Call or message them using known contact details, not the email itself.
Hover over links. Check where they truly lead.
Be cautious with login prompts. If you’re already signed into Microsoft, why is it asking you to sign in again?
Be wary of validation codes. Attackers increasingly use fake codes to make phishing sites look legitimate.
Scan your machine. If you’ve downloaded suspicious files.
Report suspicious emails immediately. Don’t wait—IT would rather check than clean up after a breach.

Lessons Learned

This incident reinforces key cybersecurity truths:

  • Legitimate platforms like SharePoint can still be abused.

  • Security is as much about people as it is technology.

  • Password managers and app-specific credentials are invaluable safeguards.

  • Always trust—but verify. Even trusted brands can be misused.

Our client avoided significant trouble this time thanks to solid security practices and prompt communication. It’s a reminder that vigilance and layered security are your best defense.

If you’re concerned about phishing threats or want to ensure your business is protected, reach out to EJB Technology Support, LLC. We’re here to keep your organization safe in an evolving digital landscape.