Akankasha Dewan 18 June 2021 12:28:20 AEST 4 MIN READ

Watch Out: Phishing email sent from compromised account claims to share a ‘secure’ document via Microsoft SharePoint

Launching phishing email scams via compromised accounts continues to be a popular technique among cybercriminals looking to deceive users. MailGuard has intercepted a new phishing email scam that originates from a compromised email account belonging to a user at Anglican Care, an aged care facility.

Titled ‘Anglican Care – Anglican Care DOC’, the email masquerades as a document alert, informing users that an attachment is being ‘securely transmitted’ via SharePoint, a popular web-based collaborative platform commonly used among businesses. The email contains a link, supposedly to a .PDF file, along with the file size.

Here’s what the email looks like:



Unsuspecting recipients who click on the button to review the file are led to an intermediary site asking them to click on another link, as per the below:


Users are then presented with multiple pages asking for their email addresses and passwords. These pages are designed to look like official login pages belonging to Microsoft, complete with support links purporting to be from the company. Here are screenshots of all these pages:



Interestingly, the URLs used in the domains of all these pages don’t belong neither to Microsoft nor to Anglican Care – a red flag pointing to their illegitimacy. Instead, the intermediary page is hosted on a third-party platform. The login pages containing Microsoft’s branding are actually phishing pages hosted on Microsoft’s Azure platform, most likely using a compromised account.

Once users enter and submit all required fields, cybercriminals behind this scam harvest those credentials for later use. Users are then met with a with an error saying that their attempted sign-in timed out, as per the below:


Scams like these have a high likelihood of successfully tricking users, especially in the current climate. With workforces becoming more remote in light of COVID-19, it is common for employees to email confidential business documents to one another. Therefore, notifications like the above aren't likely to raise any alarm bells when they appear in an inbox, motivating users to click on the provided links. without a second thought.

The use of well-known brand names, like Microsoft also serves to inspire false trust, boosting the email’s credibility. Our team frequently blocks phishing emails impersonating Microsoft, like this one intercepted recently. Cybercriminals often exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Their established brand help convince recipients that the file being shared via this email are secure.

In addition, scams that are initiated from compromised accounts like the one above are particularly dangerous, for a number of reasons:

  • The emails are sent from a legitimate account, so they are not likely to be blocked by email security services,
  • The recipients are more receptive to the emails, especially where the sender is known to them, and
  • Because they may deliver a malicious payload, or simply a .PDF file like in the above example, and may direct users to external phishing pages to harvest credentials.

In such cases, users are reminded of the importance of not accepting/clicking on documents from unknown senders, despite the organisation they purport to be from. All attachments/links should only be accessed when users are certain about the credibility of their owners.

Despite these techniques, recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly.

We encourage all users to exercise caution when opening messages like these, and to be extra vigilant against this kind of cyber-attack. If you are not expecting a file from the sender, do not open the email, download files or click through on the links. Check with the sender first, even if they are known to you.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from, and
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates