03.02.2026 - Over the past few weeks, the NCSC has received reports of emails claiming that the sender has shared a file via Microsoft SharePoint. The link provided really does lead to the legitimate SharePoint platform. This week's review explains the malicious intent behind these emails, the background to the scam, and its implications for users.
Phishing emails have become much harder to detect. Modern AI-based translation tools help scammers avoid language errors, and the displayed sender address is no longer a reliable indicator because it can easily be spoofed. What's more, scammers use personal data from data leaks to address recipients correctly or include special details, making their messages appear more credible.
Taking all of this into account, the link in a scam email is often the only remaining clue that reveals a potential attack. Consequently, scammers also manipulate this final element to deceive their targets. The NCSC has observed several targeted phishing attempts of this kind in recent weeks. In these cases, the link leads to the official Microsoft SharePoint platform. This issue is also currently being discussed internationally.
How the scam works
In this SharePoint phishing scam, you receive an invitation to a document that is supposedly stored on SharePoint. The invitation usually appears to come from someone you know and is automatically sent via Microsoft SharePoint.
To download the document, you are first asked to authenticate via SharePoint. After clicking the link, a form opens in which you are prompted to enter your email address.
A one-time password is then sent to the email address you entered. The email does in fact come from Microsoft, or more specifically from SharePoint.
You are then asked to enter the account verification code sent to your email address. Up to this point, everything was legitimate. But now the scam begins. Within SharePoint, there is another link to an alleged PDF document. When you click this link to download the document, a password prompt appears. This time, however, you don't need a verification code. Instead, you are asked directly for your Microsoft login credentials – your email address and password.
This particular scam involves real-time phishing. Not only are your login details stolen, but a login to your Microsoft account is also performed in real time in the background. In a second step, the prompt for the second authentication factor is also sent to the phishing page. You are asked to approve it there as well. This allows the scammers to bypass two-factor authentication.
Where the scammers get your data
In many cases, these phishing emails are sent to companies in a highly targeted manner. This raises the question of how the scammers establish a link between organisations and their employees.
Three main scenarios are possible:
- The information needed for the scam comes from public sources. Scammers research company websites, for example, to identify employees, business relationships or partner organisations. In many cases, this information alone is sufficient to launch a targeted phishing scam.
- The data may also come from a Microsoft account that was compromised earlier using this same approach. In this case, scammers obtain the information they need to carry out further phishing scams.
- Some of these SharePoint invitations are sent at random. In one email sent directly to the NCSC, no connection could be identified: there had been no prior email contact with the company, and no relationship was apparent from its website.
Recommendations
- Never enter passwords, credit card details or other sensitive information on websites accessed via links in emails or text messages.
- Be cautious of unsolicited or unusual emails, even if they appear to come from a legitimate source.
- If an email appears to come from someone you know but you are unsure, check with that person via a different communication channel.
- If you manage staff, make sure they are regularly informed and trained about new phishing scams and current scam techniques.
Current statistics
Last week's reports by category:
Last modification 03.02.2026
