40,000 Phishing Emails Disguised as SharePoint and and e-Signing Services: A New Wave of Finance-Themed Scams

-

 


The hyperconnected world has made it easier than ever for businesses and consumers to exchange documents, approve transactions, and complete critical financial workflows with just a click. Digital file sharing and electronic signature platforms used widely across banking, real estate, insurance, and everyday business operations, have become essential to how modern organizations move at speed. But that same convenience creates an opening for cyber criminals.

Email security researchers at Check Point have recently uncovered a phishing campaign where attackers impersonate file-sharing and e-signature services to deliver finance-themed lures that look like legitimate notifications.

In this incident, attackers sent over 40,000 phishing emails targeting roughly 6,100 customers over the past two weeks. All malicious links were funneled through https://url.za.m.mimecastprotect.com, increasing trust by mimicking familiar redirect flows.

The hyperconnected world has made it easier than ever for businesses and consumers to exchange documents, approve transactions, and complete critical financial workflows with just a click. Digital file sharing and electronic signature platforms used widely across banking, real estate, insurance, and everyday business operations, have become essential to how modern organizations move at speed. But that same convenience creates an opening for cyber criminals.

Email security researchers at Check Point have recently uncovered a phishing campaign where attackers impersonate file-sharing and e-signature services to deliver finance-themed lures that look like legitimate notifications.

In this incident, attackers sent over 40,000 phishing emails targeting roughly 6,100 customers over the past two weeks. All malicious links were funneled through https://url.za.m.mimecastprotect.com, increasing trust by mimicking familiar redirect flows.

How the campaign works

The attackers abused Mimecast’s secure-link rewriting feature, using it as a smokescreen to make their links appear safe and authenticated. Because Mimecast Protect is a trusted domain, this technique helps malicious URLs bypass both automated filters and user suspicion.

To boost credibility, the emails copied official service visuals (Microsoft and Office products logos), used service-style headers, footers, and “review Document” buttons, and spoofed display names such as “X via SharePoint (Online)”, “eSignDoc via Y”, and “SharePoint”, closely matching authentic notification patterns.

Related Variant: DocuSign-Style Phishing Using a Different Redirect Method

Alongside the large SharePoint/e-signing campaign, researchers also identified a smaller but related operation that imitates DocuSign notifications. Like the primary attack, it impersonates a trusted SaaS platform and leverages legitimate redirect infrastructure, but the technique used to mask the malicious destination differs significantly.

In the main campaign, the secondary redirect acts as an open redirect, leaving the final phishing URL visible in the query string despite being wrapped in trusted services. In the DocuSign-themed variant, the link moves through a Bitdefender GravityZone URL and then Intercom’s click-tracking service, with the true landing page fully hidden behind a tokenized redirect. This approach conceals the final URL entirely, making the DocuSign variant even more stealthy and harder to detect.

Campaign Scale and Patterns

he campaign primarily targeted organizations across the U.S., Europe, Canada, APAC, and the Middle East, focusing heavily on consulting, technology, and construction/real estate sectors, with additional victims spanning healthcare, finance, manufacturing, media and marketing, transportation and logistics, energy, education, retail, hospitality and travel, and government. These sectors are attractive targets because they routinely exchange contracts, invoices, and other transactional documents, making file-sharing and e-signature impersonation lures highly convincing and more likely to succeed.

Data from Check Point’s Harmony Email telemetry shows that over 40,000 phishing emails targeting roughly 6,100 customers over the past two weeks. The campaign primarily targeted organizations across the U.S., Europe, Canada, APAC, and the Middle East. By region, the breakdown is as follows:

  • USA: 34,057
  • Europe: 4,525
  • Canada: 767
  • Asia: 346
  • Australia: 267
  • Middle East: 256

Note: Regional distribution reflects where customer data is hosted within our infrastructure and does not necessarily represent customers’ physical locations.

By industry, most affected customers operate in Consulting, Technology, and Construction/Real Estate, with additional representation across Healthcare, Finance, Manufacturing, Media/Marketing, Transportation/Logistics, Energy, Education, Retail, Hospitality/Travel, and Government. These sectors are likely targeted because they frequently exchange contracts, invoices, and other financial documents, making file-sharing and e-signature lures especially convincing.

Why It Matters

Now we’ve written about similar phishing campaigns in previous years, but what makes this attack unique is that it shows how easily attackers can imitate trusted file-sharing services to trick users and highlights the need for continued awareness, especially when emails include clickable links, suspicious sender details, or unusual email body content.

What organizations should do

Organizations and individuals must also take proactive steps to reduce their risk. A few ways to stay protected include:

  1. Always approach links embedded in emails with caution, especially when they appear unexpected or urgent.
  2. Pay close attention to email details such as mismatches between the display name and the actual sender address, inconsistencies in formatting, unusual font sizes, low-quality logos or images, and anything that feels out of place.
  3. Hover over links before clicking to inspect the real destination and ensure it matches the service that supposedly sent the message.
  4. Open the service yourself in the browser and search for the document directly, rather than using links provided in emails.
  5. Educate employees and teams regularly about emerging phishing techniques so they understand what suspicious patterns look like.
  6. Use security solutions such as email threat detection, anti phishing engines, URL filtering, and user reporting tools to strengthen overall protection.

Statement from Mimecast:

The attacker campaign described by Check Point exploited legitimate URL redirect services to obfuscate malicious links, not a Mimecast vulnerability. Attackers abused trusted infrastructure – including Mimecast’s URL rewriting service – to mask the true destination of phishing URLs. This is a common tactic where criminals leverage any recognized domain to evade detection.

Mimecast customers are not susceptible to this type of attack.  Mimecast’s detection engines identify and block these attacks. Our URL scanning capabilities automatically detect and block malicious URLs before delivery. After delivery, our URL rewriting service inspects links on click, providing an additional layer that catches threats even when they’re hidden behind legitimate redirect chains.

Reference: https://blog.checkpoint.com/

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more