The criminals let Microsoft's own infrastructure do the heavy lifting
Across eleven countries and thousands of inboxes, a quiet deception unfolded between late 2022 and early 2023 — one that required no malware, no suspicious attachments, only the borrowed credibility of tools we already trust. Cybercriminals discovered that Microsoft's own SharePoint infrastructure could serve as the perfect disguise, delivering legitimate-looking notifications that carried a hidden second layer designed to harvest credentials. Kaspersky researchers documented over 1,600 such incidents, a reminder that the most sophisticated threats often exploit not technical vulnerabilities, but the human habit of trusting the familiar.
- More than 1,600 malicious SharePoint notifications slipped past corporate email defenses undetected across eleven countries in just three months.
- The attack's power lies in its invisibility — the first email is genuinely from Microsoft, giving automated security systems nothing to flag.
- A hidden second layer inside a shared OneNote file delivers the real trap: a convincing Microsoft login page designed to steal credentials from multiple account types.
- Businesses in the US, Europe, and Asia-Pacific are all in the crosshairs, exploiting the universal trust employees place in everyday collaboration tools.
- Security experts warn that traditional email filters are structurally blind to this method, shifting the burden of defense onto human awareness and behavioral training.
The email looks completely routine — a SharePoint file-sharing notification from Microsoft, the kind that arrives in corporate inboxes every day. It carries no suspicious links, no garbled text, and passes through security filters without triggering a single alarm. But inside is a second notification pointing to a shared file. One click leads to a convincing Microsoft login page. Credentials entered. Account compromised.
This is the attack Kaspersky researchers documented in early 2023, detecting more than 1,600 malicious notifications between December 2022 and February 2023. Targets spanned eleven countries across the US, Europe, and Asia-Pacific. The scheme's sophistication lies not in technical complexity, but in weaponizing authenticity — the opening email is genuinely sent through Microsoft's own SharePoint infrastructure, giving automated defenses nothing to catch.
The payload arrives in a second layer: a OneNote file containing a link to a phishing page mimicking Microsoft's login interface, offering sign-in options across Yahoo, AOL, Outlook, and Office 365 to maximize credential capture. Warning signs exist — a missing sender name, an empty message body, a web address that bears no resemblance to Microsoft's servers — but they are easy to overlook when the surrounding context feels legitimate.
Kaspersky's broader conclusion is sobering: when criminals route attacks through trusted infrastructure, technical filters alone cannot protect organizations. Regular employee training, careful link verification, and a cultivated culture of skepticism remain the most reliable defenses against schemes that turn familiarity itself into a vulnerability.
The email arrives in your inbox looking entirely normal. It's a SharePoint notification from Microsoft, the kind your company gets all the time when someone shares a file. No suspicious links. No garbled text. No red flags. It passes through your email security filters without a whisper of concern. You open it.
Inside is another notification—this time about a shared file, maybe a PDF. You click the icon. A login page appears, asking you to verify your Microsoft account. You enter your credentials. Within seconds, a criminal halfway around the world has your username and password.
This is the attack Kaspersky researchers documented in a report released in early 2023. Between December 2022 and February 2023, the security firm detected more than 1,600 malicious notifications following this exact pattern. The targets were businesses across eleven countries: Austria, France, India, Italy, Japan, the Netherlands, Russia, Singapore, South Korea, Spain, and the United States. The sophistication of the scheme lies not in technical wizardry but in exploiting the trust we place in legitimate tools.
The attack works because it weaponizes authenticity. The initial email is real—it comes from actual Microsoft SharePoint infrastructure, carrying all the hallmarks of a genuine file-sharing notification. Because the first message is legitimate, it sails past security filters designed to catch phishing attempts. There is no malicious link in the opening email, no reason for automated systems to flag it as dangerous. This is the genius of the scheme: the criminals let Microsoft's own infrastructure do the heavy lifting of bypassing your company's defenses.
The payload arrives in the second layer. The shared OneNote file contains another notification, this one pointing to a file like a PDF. When a user clicks, they're directed to a phishing page designed to mimic Microsoft's login interface. The page offers multiple sign-in options—Yahoo, AOL, Outlook, Office 365—casting a wide net to capture credentials across different account types. Kaspersky flagged all of these as particularly vulnerable targets for credential theft.
There are warning signs, though they require attention to spot. The initial email often lacks a colleague's name or email address in the sender field. The message body is frequently empty or generic, which is unusual for legitimate file-sharing notifications. When you examine the phishing link's web address, it bears no resemblance to Microsoft or your company's actual servers. These details are easy to miss when you're busy, when you trust the system, when the email looks legitimate.
What makes this attack particularly dangerous is how it exposes the limits of traditional security infrastructure. Email filters are designed to catch malicious links and suspicious attachments. They excel at stopping crude phishing attempts. But when criminals use real Microsoft infrastructure to deliver the initial message, those filters have nothing to catch. The malicious content arrives in a secondary step, after the user has already lowered their guard.
Kaspersky's spam analysis experts recommend scrutinizing unexpected file-sharing notifications, particularly those lacking personalization or context. Check the sender's email address carefully. Hover over links before clicking to verify they actually lead to Microsoft or your company's legitimate servers. But the firm's broader conclusion is sobering: sophisticated attacks like these require more than technical defenses. Regular security training, credential verification protocols, and a culture of skepticism remain among the most reliable weapons against schemes that exploit human trust in familiar systems.
Citações Notáveis
Legitimate emails of shared files are received by companies using Microsoft 365's online collaboration tools, with no dubious link in sight, helping emails to bypass the security filters— Kaspersky security research
A Conversa do Hearth Outra perspectiva sobre a história
Why does the first email pass through security filters if it's malicious?
Because it isn't malicious—not yet. The initial email is genuinely from Microsoft SharePoint. The criminals use real infrastructure to bypass the filters, then hide the actual phishing attempt inside a secondary notification.
So the user has to click twice before they're in danger?
Exactly. The first click is safe. The second click is where the trap springs. By then, the user has already accepted the premise that this is a legitimate file-sharing chain.
Why target SharePoint specifically?
Because it's ubiquitous in corporate environments. Everyone expects SharePoint notifications. They're part of the normal rhythm of work. That familiarity is the vulnerability.
Can a company just block all SharePoint notifications?
Not without crippling collaboration. That's the real problem. The attack exploits something essential to how modern businesses operate. You can't simply turn it off.
What happens after someone enters their credentials?
The attacker has access to their Microsoft account, and through it, potentially to company data, email, and any other systems tied to that identity. One compromised account can become a foothold into the entire organization.
Is training enough to stop this?
It helps, but it's not a complete solution. Even tech-savvy workers can be fooled by something that looks this legitimate. Training needs to be paired with technical controls and a willingness to verify before trusting.