A new wave of phishing attacks is exploiting the trusted reputation of Microsoft SharePoint to bypass even advanced enterprise security measures, security analysts have warned.
These sophisticated campaigns leverage deceptive link (“lick”) techniques, using authentic-looking SharePoint URLs to distribute credential harvesting pages and malware while evading modern email filtering and Extended Detection and Response (XDR) systems.
Attackers Exploit Trust in Microsoft Ecosystem
The exploitation of SharePoint as a phishing platform marks a significant evolution in attacker tactics, techniques, and procedures (TTPs).
Traditional phishing frequently relied on obvious redirection to malicious login forms, but with improved detection capabilities across security stacks, threat actors have shifted to SharePoint-themed attacks. Here, attackers send emails with links appearing as genuine file shares.
When clicked, these links often launch a multi-phase attack flow designed to appear as legitimate SharePoint workflows, thus reducing user suspicion and increasing success rates.
Technical analysis reveals that these phishing operations can be highly targeted, using individualized URLs and validation phases to ensure that only intended recipients progress through each stage.
After clicking the initial SharePoint link, victims are often taken through an identity validation process, where they are prompted for their corporate email addresses, followed by an authentication step that sends a legitimate Microsoft validation code to the user’s mailbox.
By leveraging Microsoft’s own authentication mechanisms, attackers enhance the campaign’s credibility, making detection by both users and automated tools more difficult.
Once the attacker secures the validation code, users are redirected to a convincing fake Microsoft login page hosted via SharePoint’s infrastructure or lookalike domains.
According to CyberProof Report, this approach complicates detection even further, as the phishing pages are not static the links often expire, are accessible to only specific users, and may intermingle with legitimate Microsoft traffic within network logs.
Validation Phases Amplify Spear-Phishing Effectiveness
Investigations by cybersecurity professionals have revealed that once an account is compromised, threat actors act swiftly.
Frequently observed tactics include the illicit addition of secondary multi-factor authentication (MFA) methods, the creation of malicious inbox rules, and the forwarding of sensitive content to external recipients.
In some incidents, attackers have used compromised SharePoint access to invite or create large numbers of external user accounts, exponentially increasing the organization’s risk exposure.
Detecting such compromises poses a significant challenge. Standard email and endpoint security solutions may not flag these SharePoint links as dangerous due to their apparent legitimacy and the use of Microsoft domains.
Security teams must therefore monitor for anomalous sign-in behavior following SharePoint link activations, examine host activity logs for evidence of redirections, and scrutinize proxy logs for access to lookalike and malicious domains such as ushackagea[.]ru, revishbos[.]ru, and others uncovered through recent investigations.
Remediation requires a multi-faceted response. Affected accounts should have their passwords reset immediately, suspicious MFA methods removed, and malicious inbox rules and emails purged.
Network administrators should also block the initial SharePoint URLs and any discovered malicious domains.
Crucially, organizations must prioritize user education, as informed employees remain the best last line of defense against these increasingly convincing phishing tactics.
SharePoint’s prominence within the corporate environment and its trusted status present attackers with a valuable vector to bypass security controls and exploit end-user trust.
As these deceptive link methods sometimes referred to as “lick techniques” continue to evolve, security teams must remain vigilant, adapt detection strategies, and ensure robust incident response to mitigate the risks posed by these advanced spear-phishing campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
