In recent weeks, our organization has seen a sharp increase in SharePoint and OneDrive shared links circulating among employees. These cloud file-sharing tools are excellent for collaboration, but their growing use has attracted the attention of cybercriminals. Attackers are leveraging the trust we place in Microsoft’s platforms – sending out convincing fake SharePoint/OneDrive link invitations – to trick people into visiting fraudulent sites and divulging their login credentials1 2. This newsletter article outlines the key risks associated with this trend and provides clear steps to protect yourself and the company.
Key Risks to Watch For:
- Imitation SharePoint/OneDrive Pages: Attackers create spoofed SharePoint and OneDrive sites that are visually convincing. These fake login pages often appear indistinguishable from real Microsoft sign-in screens, tricking even vigilant users3. If you follow a shared link and it unexpectedly asks for your Microsoft 365 login or an “authentication code” out of the blue, stop and scrutinize the URL carefully.
- Phishing Websites that Steal Credentials: The primary danger is credential theft. Upon clicking a malicious shared link, you might be prompted to log in or enter a 2FA code on a phishing site designed to capture your information. Everything you enter – your email, password, and even one-time MFA codes – can be collected in real time by the attackers4 . Once stolen, your account could be accessed and used to steal data or send further phishing messages.
- Links Sent via Trusted Channels: Beware of how these deceptive links arrive. Cybercriminals distribute malicious SharePoint/OneDrive links through common channels like email, Microsoft Teams chats, or even SMS. In many cases, they hijack an acquaintances or coworker’s account and send the phishing link from that legitimate account. A message that appears to come from a colleague, business partner, or a known service might be from an attacker5. This makes the phishing attempt much more convincing since it appears to originate from a trusted source.
How to Protect Yourself:
- Always Verify the Link Destination: Before clicking any SharePoint or OneDrive link, hover over it (or long-press on mobile) to check the URL6. Legitimate Microsoft cloud-sharing links will contain microsoft.com, sharepoint.com, or onedrive.com with our company’s domain name. If the web address looks suspicious, misspelled, or unfamiliar, do NOT click. When in doubt, navigate to SharePoint or OneDrive via the official site or portal instead of the emailed link.
- Guard Your MFA/2FA Codes: Never enter authentication codes on a page that was reached via an email link. Microsoft will only ask for your 2FA/MFA code on official login.microsoftonline.com pages (or your Azure AD sign-in, which also uses a Microsoft.com URL). If a site reached from a shared link or email asks for an MFA code, it’s a red flag – close the tab immediately. Remember that attackers can clone the look of authentication prompts; don’t provide 2FA codes unless you are certain you’re on a legitimate Microsoft site.
- Be Wary of Extra Login Prompts: If you click a SharePoint/OneDrive file link and it unexpectedly asks you to log in again or provide an email and one-time code, exercise caution. Modern phishing schemes often use this trick – they share a file that forces you to re-authenticate, then present a malicious file or link after you sign in7. If you were already logged into Microsoft 365 and get a surprise login page, stop and verify the URL or contact IT.
- Look for Security Banners and Signs: Pay attention to the [External] email warning banners or unusual sender addresses in messages. An email from outside the organization often carries a banner or caution notice – this is a hint to be extra careful with any links or attachments inside. If a supposed internal file share message has an external warning, it’s likely fraudulent. Also watch for poor grammar, urgent language, or anything out of the ordinary in the message content.
- Report Suspicious Messages Immediately: If you suspect a phishing attempt – such as a strange SharePoint invitation or any message asking for credentials – report it to the IT/Security team right away. Use the “Report Phishing” button in Outlook if available, or forward the email to our security team. Quick reporting can help us neutralize threats and protect colleagues. Even if you clicked a link by accident, reporting it promptly means we can take steps to secure your account and the organization.
Stay Alert, Stay Safe:
In today’s collaborative work environment, shared links are a daily occurrence, so it’s critical to remain vigilant and discerning. Cybercriminals are constantly refining their tactics to exploit our trust in platforms like SharePoint and OneDrive. By staying informed of the latest phishing schemes and following the protective steps outlined above, you can significantly reduce risk to yourself and the company. Remember: Your login credentials and MFA codes are your digital identity – protect them as carefully as you would your house key or company ID. Never let your guard down when clicking links or entering information online. If something seems off, it probably is. When in doubt, don’t click – report it. Staying vigilant is a shared responsibility that keeps everyone secure8.
Spiros Konstantinou
Operations Manager/CISO
1https://www.cyberproof.com/blog/deceptive-links-unmasking-sharepoint-phishing-attacks/
2https://cybernews.com/security/scammers-use-sharepoint-invitations-to-steal-microsoft-accounts/
3https://www.cyberproof.com/blog/deceptive-links-unmasking-sharepoint-phishing-attacks/
4https://cybernews.com/security/scammers-use-sharepoint-invitations-to-steal-microsoft-accounts/
5https://cybernews.com/security/scammers-use-sharepoint-invitations-to-steal-microsoft-accounts/
6https://www.foxnews.com/tech/new-scam-sends-fake-microsoft-365-login-pages
7https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
8https://cybernews.com/security/scammers-use-sharepoint-invitations-to-steal-microsoft-accounts/
Back to News