(TLP:CLEAR) Threat Awareness – Recent Phishing Campaign Mimics SharePoint and DocuSign
Created: Thursday, December 11, 2025 - 14:56
Categories: Cybersecurity, Security Preparedness
Summary: Check Point researchers uncovered a widespread phishing campaign sending over 40,000 emails disguised as notifications from SharePoint and e-signing services like DocuSign. Victim targeting consisted of approximately 6,100 customers across the U.S., Europe, Canada, APAC, and the Middle East, with heavy focus on consulting, technology, and real estate sectors. The attackers abused Mimecast’s URL rewriting feature to mask malicious links via trusted redirects. Other textbook tactics included impersonation of legitimate branding, spoofing sender names, using urgent document review prompts, and leveraging finance-related lures to make the messages appear legitimate and evade initial filters to trick users into clicking.
Analyst Note: URL rewriting is commonly used by email security platforms to scan and rewrite links in emails to ensure they are safe before the recipient clicks on them. While this technique is effective in blocking many malicious URLs, threat actors are continually evolving their tactics to exploit these defenses. One such method involves abusing the legitimate URL rewriting process to bypass detection and deliver malicious content to unsuspecting users. Additionally, the use of impersonation, namely of Microsoft, and finance-related lures exacerbate the problem.
The importance of regular security awareness in defense of impersonation scams and exploitation of security solutions cannot be overstated. Threat actors continue impersonating Microsoft and other well-known brands with finance-themed lures because it’s still successful. Given utilities interactions with consulting and technology providers, it’s practical to consider regular cybersecurity refreshers and reminders on the constant use of financial-themed lures, impersonation of widely used products and platforms, and exploitation of security controls in phishing campaigns.
Original Source: https://blog.checkpoint.com/email-security/40000-phishing-emails-disguised-as-sharepoint-and-and-e-signing-services-a-new-wave-of-finance-themed-scams/
Additional Reading:
- Bypassing Legacy SEGs: How Attackers Exploit URL Rewriting to Hack M365 Accounts
- The Hidden Risks of URL Rewriting and the Superior Alternative for Email Security
Related WaterISAC PIRs: 6, 6.1, 10, 11, 12