top of page
Search

The Sneakiest Phishing Trick I’ve Seen Lately — And Why Your Email Security Won’t Save You

  • Sep 9
  • 3 min read
ree

Before I start!!!!

💡 Credit where it’s due:

This insight comes straight from J, one of the sharpest call investigators and my dearest friend!!.


He’s been running into this exact phishing method a lot lately in real investigations — because when the bad guys get creative, he’s usually the one who catches them.


J also happens to run one of the best MDR services I’ve seen — staffed with top-tier people, handling a serious volume of clients without breaking a sweat. And no, this isn’t a sales pitch — just the truth. But if you are looking for an MDR service that actually knows how to handle incident response and forensics like pros, let me know.

I’ll make sure you get connected to J directly… assuming he’s not too busy catching the next cybercriminal.


---------------------------------------------------------------------------------------------------------


Alright, let me tell you about something J is seeing every single day  with his clients.These guys are constantly getting phished — and the attackers aren’t even using anything exotic.They’re just… smart.


Here’s the play-by-play.


ree

Step 1 — The Hacker’s Head Start

The attacker doesn’t even need to create a fake Microsoft account. Nope.They just buy or steal a real one. Could be from the dark web, could be from an old breach, could be some poor guy’s account that got keylogged — doesn’t matter.


Why is this important?

Because that account is already trusted. It has Microsoft’s blessing. Security tools look at it and go, “Yep, that’s fine.”



Step 2 — The “Perfectly Safe” Email

So now the attacker sends our victim an email that says:

"Hey, a document’s been shared with you on SharePoint."

That’s it. No misspellings. No sketchy links. Just a real sharepoint.com link.

Microsoft loves it.

Barracuda loves it.

Proofpoint loves it.


Why wouldn’t they? It’s literally a Microsoft domain.
ree

Step 3 — Playing by Microsoft’s Rules

The victim clicks the link and lands on… the real SharePoint site.

ree
Microsoft says,

“Hey, please type in your email so we can send you a one-time code.”


The victim does exactly that.They get the code. They put it in. Boom — document opens.

Everything so far is 100% legit. Even the security guys monitoring the logs would shrug.

ree

ree

Step 4 — The Trap Inside the Doc

Now comes the actual payload. Inside that innocent-looking document is a link — but not just any link.


It’s to a real Adversary-in-the-Middle (AiTM) phishing site.Think of it like a sneaky mirror: you see Microsoft’s login page, but it’s secretly passing everything you type straight to the attacker.

And here’s the killer part — it doesn’t just grab your username and password.It also snatches your MFA session cookie. That means even if you’ve got multi-factor authentication, the attacker can log in as you without ever touching your phone.

ree

ree

Why Security Tools Don’t Stand a Chance

The phishing link never appeared in the email. It was hiding inside a document on Microsoft’s own servers.


That means:

  • Microsoft Defender for Office 365? Nope — only saw a SharePoint link.

  • Barracuda / Proofpoint / Mimecast? Nope — nothing malicious in the email.

  • Sandboxing? Nope — the document doesn’t “run” anything bad, it just sits there with a clickable trap.

By the time the victim clicks the malicious link, they’re already deep inside a trusted Microsoft session.



Why This Works So Well

Let’s break it down:

  1. It rides on Microsoft’s good reputation — users and tools both trust it.

  2. The flow feels familiar — the victim does the real SharePoint steps before anything bad happens.

  3. The bad link is invisible until after the secure login.

  4. MFA is useless — because session cookies don’t care about your code.


How to Fight Back (If You’re Defending)

If you think this is just a “train your users” thing — you’re already halfway lost.

Yes, awareness training helps, but you also need:


  • Conditional Access Rules – Don’t let logins happen from weird countries or impossible travel times.

  • Cloud App Security – Scan files in SharePoint/OneDrive for links to dodgy domains.

  • External Sharing Limits – Only allow shares from trusted domains.

  • Live Session Monitoring – Look for suspicious cookie reuse.

  • Report Button – Encourage users to flag any document share they weren’t expecting.



Why Red Teams Love This

From a red team perspective, this is chef’s kiss:

  • The email looks perfect.

  • The infrastructure is Microsoft’s — no sketchy domains to register.

  • The social engineering is minimal.

  • MFA is just… irrelevant.



The Takeaway

The scariest part?

The attacker doesn’t break Microsoft security — they use it against you.

If you’re defending, remember this: the danger isn’t just in the link your filters see.

It’s in what happens after the click.


---------------------------------------Dean/J----------------------------------------

 
 
 

Comments

bottom of page