A major phishing campaign is exploiting a trusted security feature to deliver thousands of fake SharePoint and e-sig notifications that appear authentic.
According to new research from Check Point, attackers sent more than 40,000 phishing emails in just two weeks, targeting over 6,000 customers worldwide.
The campaign’s success hinged on a simple but effective trick: abusing Mimecast’s secure-link rewriting feature.
Check Point explains that “attackers abused Mimecast’s secure-link rewriting feature as a smokescreen to make their links appear safe and authenticated.”
Because the rewritten links route through the trusted Mimecast Protect domain, “this technique helps malicious URLs bypass both automated filters and user suspicion,” researchers said.
Once wrapped in a trusted domain, attackers paired the fake links with convincingly designed email templates. Messages copied Microsoft and Office logos, mimicked SharePoint layouts, and used spoofed display names.
These included: “X via SharePoint (Online),” “eSignDoc via Y,” and “SharePoint,” closely matching authentic notification patterns.
To an employee accustomed to daily document notifications, the phishing attempts looked routine.
“Smaller but stealthier” DocuSign scam
Check Point also covered a smaller but stealthier DocuSign-themed variant. In this operation, attackers hid the final phishing page behind several layers of legitimate redirect services, including Bitdefender GravityZone and Intercom’s click tracking platform.
Unlike the other campaigns, this method fully obscured the destination URL, making it even more difficult for both users and filters to detect.
Who’s at risk from fake e-sign phishing?
Industries that regularly exchange contracts and invoices – including consulting, technology, and real estate – were hit hardest, with additional victims across healthcare, finance, manufacturing, and government.
The majority of targeted emails landed in US inboxes (34,000), followed by Europe (4,500) and Canada (750).
In its response, Mimecast emphasized that attackers did not exploit a vulnerability in its systems but missed a legitimate redirect flow, a tactic increasingly common in recent phishing operations.
“The attacker campaign described by Check Point exploited legitimate URL redirect services to obfuscate malicious links, not a Mimecast vulnerability. Attackers abused trusted infrastructure – including Mimecast’s URL rewriting service – to mask the true destination of phishing URLs. This is a common tactic where criminals leverage any recognized domain to evade detection.”
Mimecast
Check Point said that organizations can reduce exposure to campaigns like this by encouraging closer scrutiny of sender details, sharing awareness of spoof document sharing notifications, and promoting safer practices such as verifying documents directly within SharePoint or DocuSign rather than relying on embedded email links.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked