A major phishing campaign is exploiting a trusted security feature to deliver thousands of fake SharePoint and e-signature notifications that appear authentic.
New research from Check Point reveals that attackers sent over 40,000 phishing emails in just two weeks. This targeted more than 6,000 customers worldwide. The campaign succeeded by abusing Mimecast’s secure-link rewriting feature as a smokescreen to make their links appear safe and authenticated. Because the rewritten links route through the trusted Mimecast
Protect domain, this technique helps malicious URLs bypass both automated filters and user suspicion.
Once wrapped in a trusted domain, attackers paired the fake links with convincingly designed email templates. Messages copied Microsoft and Office logos, mimicked SharePoint layouts, and used spoofed display names. These included “X via SharePoint (Online),” “eSignDoc via Y,” and “SharePoint,” closely matching authentic notification patterns. To an employee accustomed to daily document notifications, the phishing attempts looked routine.
Check Point also reported a smaller but stealthier DocuSign themed variant. In this operation, attackers hid the final phishing page behind several layers of legitimate redirect services. These services included Bitdefender GravityZone and Intercom’s click tracking platform. Unlike the other campaigns, this method fully obscured the destination URL, making detection even more difficult for both users and filters.
Industries that regularly exchange contracts and invoices were hit hardest. These included consulting, technology, and real estate, with additional victims across healthcare, finance, manufacturing, and government. The majority of targeted emails landed in US inboxes (34,000), followed by Europe (4,500) and Canada (750).
In its response, Mimecast emphasized that attackers did not exploit a vulnerability in its systems. Instead, they leveraged a legitimate redirect flow. This tactic is increasingly common in recent phishing operations.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
