40,000 Phishing Emails Mimic SharePoint and E-Signing Platforms in Global Finance-Themed Scam

Email security researchers at Check Point identify a global phishing campaign sending over 40,000 emails that impersonate SharePoint and e-signing services. Attackers abuse trusted redirect infrastructure, including Mimecast links, to mask malicious URLs. The campaign targets 6,100 organisations worldwide, mainly in consulting, technology, and construction sectors, exploiting routine document-sharing workflows.

A large-scale phishing campaign impersonating popular file-sharing and electronic signature platforms highlights how trusted digital tools continue to be exploited by cyber criminals to target organisations worldwide.

Email security researchers at Check Point report that attackers have distributed more than 40,000 phishing emails over a two-week period, targeting around 6,100 customers across multiple regions. The campaign relies on fake notifications designed to resemble legitimate alerts from SharePoint, e-signing services, and DocuSign-style platforms, aiming to trick recipients into clicking malicious links linked to financial workflows.

Trusted digital services used as attack cover

Digital file-sharing and e-signature platforms play a central role in banking, real estate, insurance, and daily business operations. Their routine use for invoices, contracts, and approvals makes them attractive vehicles for phishing.

In this campaign, attackers route all malicious links through
https://url.za.m.mimecastprotect.com, a trusted redirect domain. By doing so, they take advantage of familiar security flows to lower user suspicion and bypass automated email filters.

According to Check Point, the attackers abuse Mimecast’s secure-link rewriting feature, using it as a disguise rather than exploiting a technical vulnerability. Because the redirect domain is widely recognised, the phishing links appear authenticated and safe at first glance.

How the phishing emails are designed

To increase credibility, the emails closely mirror genuine service notifications. They include:

• Official-looking Microsoft and Office product logos
• Service-style headers and footers
• Prominent call-to-action buttons such as “Review Document”
• Spoofed display names including
  “X via SharePoint (Online)”,
  “eSignDoc via Y”, and
  “SharePoint”

These elements closely match authentic notification patterns, making the emails difficult to distinguish from legitimate document-sharing alerts.

Related DocuSign-style phishing variant identified

Alongside the main SharePoint and e-signing campaign, researchers identify a smaller but related phishing operation that imitates DocuSign notifications.

While both attacks impersonate trusted SaaS platforms and rely on legitimate redirect infrastructure, their technical execution differs:

• In the main campaign, the secondary redirect functions as an open redirect, leaving the final phishing URL visible in the query string, even when wrapped in trusted services.
• In the DocuSign-themed variant, the link passes through a Bitdefender GravityZone URL and then Intercom’s click-tracking service. The final destination remains fully hidden behind a tokenised redirect.

This method conceals the phishing site entirely, making the DocuSign-style variant more difficult to detect and analyse.

Global reach and sector-specific targeting

Check Point’s Harmony Email telemetry confirms the scale and geographic spread of the attack. Over the past two weeks, phishing emails reach organisations across the United States, Europe, Canada, APAC, and the Middle East.

Regional distribution (by hosted customer data):

• USA: 34,057
• Europe: 4,525
• Canada: 767
• Asia: 346
• Australia: 267
• Middle East: 256

Note: Regional figures reflect where customer data is hosted within Check Point’s infrastructure and may not represent physical customer locations.

By industry, the most affected customers operate in Consulting, Technology, and Construction/Real Estate, with further impact across Healthcare, Finance, Manufacturing, Media and Marketing, Transportation and Logistics, Energy, Education, Retail, Hospitality and Travel, and Government.

These sectors frequently exchange contracts, invoices, and transactional documents, making file-sharing and e-signature impersonation particularly effective.

Why this campaign matters

While similar phishing techniques have appeared in previous years, this campaign demonstrates how easily attackers can imitate widely trusted digital services at scale. It reinforces the risk posed by phishing emails that appear routine, urgent, or financially relevant.

The campaign underlines the importance of user awareness, especially when messages include embedded links, unfamiliar sender details, or subtle inconsistencies in formatting or content.

Practical steps to reduce risk

Organisations and individuals can reduce exposure to these attacks by adopting a layered approach to security:

• Treat unexpected or urgent email links with caution
• Check for mismatches between display names and sender addresses
• Watch for formatting issues, unusual fonts, or low-quality logos
• Hover over links to inspect the actual destination before clicking
• Access file-sharing or e-signature services directly through a browser rather than email links
• Provide regular employee training on emerging phishing techniques
• Deploy email threat detection, anti-phishing engines, URL filtering, and user reporting tools

Mimecast statement on the campaign

Mimecast responds to the findings with the following statement:

“The attacker campaign described by Check Point exploited legitimate URL redirect services to obfuscate malicious links, not a Mimecast vulnerability. Attackers abused trusted infrastructure – including Mimecast’s URL rewriting service – to mask the true destination of phishing URLs. This is a common tactic where criminals leverage any recognised domain to evade detection.

Mimecast customers are not susceptible to this type of attack. Mimecast’s detection engines identify and block these attacks. Our URL scanning capabilities automatically detect and block malicious URLs before delivery. After delivery, our URL rewriting service inspects links on click, providing an additional layer that catches threats even when they’re hidden behind legitimate redirect chains.”