A new phishing campaign that is hiding malicious URLs in SharePoint Files is targeting Office 365 users. Researchers have coined the tactic “PhishPoint” and some businesses claim 10% of Office 365 users may have been impacted by the scam globally.

“PhishPoint” is a unique attack because it bypasses the built-in security protections of Office 365 by inserting malicious links into SharePoint documents.

While the body of the email message looks identical to a standard SharePoint invitation from someone looking to collaborate, the content of the file impersonates a standard access request to a OneDrive file and an ‘Access Document’ button on the file is hyperlinked to a malicious URL.

The malicious link then redirects the victim to a spoofed Office 365 login screen and asks the user to enter his/her login credentials, which is then stolen by hackers.

Here are steps to protect yourself from PhishPoint:


  1. Be skeptical of URLs present in an email body or any subject lines that contain “urgent” or “action required,” or other buzzwords related to workplace stress.


  1. When presented a login page, always check to see whether the URL is hosted by the legitimate service provider.


  1. For unexpected emails from peers or superiors, contact the individual and verify that they actually send the message.


  1. Use multi-factor authentication (MFA), to secure user accounts across multiple software platforms.


Though it’s difficult to know for certain, here are ways to determine whether you’ve been hacked. Keep in mind that cybersecurity threats can be very subtle. When in doubt, contact your IT department to report anything suspicious.