More than 40,000 phishing emails disguised as SharePoint and electronic signatures

In recent weeks, a new phishing campaign has put organizations around the world on alert. More than 40,000 fraudulent emails have been sent with a surprisingly legitimate appearance, imitating notifications from file sharing and electronic signature services such as SharePoint and DocuSign.

‍
What makes this campaign unique is not only the scale—emails addressed to more than 6,000 companies were detected in just two weeks—but the technique used to disguise malicious links behind trusted domains and services, which has allowed many of these messages to bypass security filters and reach directly into the inboxes of workers and executives.

‍

_{How deception works}

The attackers used a sophisticated trick to make the emails look legitimate. Instead of including direct links to fraudulent pages, URLs are channeled through secure redirection services—such as Mimecast's link rewriting function—to make them appear trustworthy links and go unnoticed by both filters and users.
‍

The emails are designed with visual elements and texts that mimic the real notifications of platforms that companies use daily: headers, logos and buttons that look identical to the original ones, such as “Review Document”. This means that many workers, even with experience, can fall into the trap thinking that this is a legitimate notification related to important documents or contracts.

‍

_{Who is in the spotlight?}

The campaign has affected organizations from multiple sectors and regions. Among those most affected are companies in consulting, technology, real estate and construction, although emails have also been reported in sectors such as health, finance, manufacturing, education and public administration.
‍

_{Alarm signs and how to protect yourself}

Although the emails may appear to be authentic, there are several elements that should alert you:

• URLs disguised behind trusted domains: Attackers use legitimate redirection services so that the URL shows a recognized domain, but ends up leading to a malicious page. Always hover your cursor over the link to verify the actual destination.
  
• Unexpected requests for action: If you weren't expecting a document or notification, be wary. To verify, open the service directly from its official site instead of using links in emails.
  
• Inconsistencies in the sender or content: Subtle errors in the format, unclear addresses, or sender names that don't match official domains often indicate a phishing attempt.
• Lack of personalization: Generic messages that don't use your name or specific organization details may indicate a massive campaign.

‍

_{Why this attack matters}

This campaign demonstrates that attackers are increasingly able to use trusted infrastructures as a cover. Using legitimate services to disguise malicious links not only makes it more difficult to identify phishing, but it also highlights the importance of advanced filtering capabilities, real-time link analysis, and ongoing user education to recognize suspicious patterns before interacting with them.

‍

_{Strengthen your defense against sophisticated phishing campaigns}

Phishing campaigns that impersonate known services can easily go unnoticed when relying solely on basic email filters. At Apolo Cybersecurity, we help you to strengthen your protection comprehensively: we evaluate and strengthen your email defenses with advanced technologies, we implement threat detection and link verification systems, and we train your teams to identify and prevent increasingly sophisticated attacks.

‍

Check your security audit today and get ahead of the next phishing campaign before it impacts your organization.