MailGuard 03 September 2021 11:51:26 AEST 4 MIN READ

Check Twice: Microsoft SharePoint Mimicked in 'Board Approved Payroll' Email Scam

The latest phishing attack intercepted by MailGuard begins with a scam email purporting to be via popular collaboration tool, SharePoint. As workforces become more remote, it is common for employees to send confidential business documents to one another, and with over 200 million users of Microsoft SharePoint, there is a high likelihood unsuspecting victims will fall for the scam.  

Titled, ‘Your File via SharePoint kindly confirm your notice’, the email masquerades as an ‘August salary payment approval list by the Board of Directors’ encouraging the user to review an attached document. The email comes from a display name of 'SharePoint' and with a sender display name of 'sharepoint(at)post' that is unique for each recipient, coming from a compromised SendGrid account. As well as using Microsoft and SharePoint branding, the email also includes the name of the target business to feign authenticity.

Here’s what the email looks like:


If a victim clicks on the ‘Open Contract Here’ button, they are taken to the phishing page below requesting the users' email and password before proceeding to download the attached document, which appears to be in a Microsoft Word format. A password is requested twice from the victim before they are redirected to their legitimate business domain.


Scammers purposefully use tactics present in this phishing scam, such as copying the logos of Microsoft and SharePoint, including SharePoint in the URL, to increase their chances of harvesting credentials that can be used to access sensitive information for further criminal activity.

In such cases, users are reminded of the importance of not downloading or clicking links for documents from unknown senders, despite the organisation they purport to be from. All attachments and/or links should only be accessed when users are certain about the credibility of the sender.

MailGuard urges all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity. 

MailGuard urges users not to click links or open attachments within emails that:    

  • Are not addressed to you by name.    
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.    
  • Are from businesses that you were not expecting to hear from, and/or    
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.    

One email is all that it takes    

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.    

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes. 

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates