How SharePoint spoofing turns trusted workflows into phishing lures

SharePoint spoofing attacks work because they blend into the tools healthcare staff already use every day. Attackers send emails that look like normal SharePoint or OneDrive notifications, often asking someone to review a shared document or open a file. Some attackers also target on-premises SharePoint servers through newly disclosed vulnerabilities. The problem is familiarity. SharePoint invites, shared folders, and document review links are part of normal healthcare workflows, so staff may not stop to question them.

A Microsoft Security blog noted, “Threat actors often abuse legitimate services and brands to avoid detection. In this scenario, we observed that the attacker leveraged the SharePoint service for the phishing campaign.”

Microsoft has warned that SharePoint and OneDrive carry a sense of built-in legitimacy. The risk is even higher because email carries so much operational weight, and busy staff may be moving quickly between patient care, admin tasks, billing, and vendor communication. The attacks also do not always depend on stealing a password. Attackers use OAuth abuse, device-code phishing, adversary-in-the-middle (AiTM) phishing, or session cookie theft to capture valid access tokens and gain access to trusted accounts.

What is SharePoint spoofing?

SharePoint spoofing refers to two related risks. The first is phishing that imitates SharePoint or OneDrive, usually through fake shared document alerts or approval requests. Microsoft has shown examples where attackers used SharePoint-style links, familiar wording, and internal-looking sender details to make a message feel legitimate. Microsoft’s blog on the topic stated, “This email masquerades as a SharePoint communication asking the recipient to review a shared document. The sender and recipient addresses are the same, though the threat actor has set the display name of the sender to ‘Pending Approval.’”

The second meaning is more technical. Spoofing can also refer to a vulnerability in SharePoint itself, such as CVE-2025-49706, an improper authentication flaw affecting on-premises SharePoint servers. Microsoft reported that Chinese advanced persistent threat groups exploited CVE-2025-49706 alongside CVE-2025-49704, a remote code execution flaw, to target unpatched on-premises SharePoint servers, install web shells, and steal machine keys.

Why SharePoint lures work so well

Attackers rely on human factors and volume to make these lures effective in healthcare. Hospitals are inundated with email-based alerts and heavy workloads, so employees often click without deep scrutiny. For example, a 2020 Journal of Medical Internet Research study of 397 hospital staff found workload (being busy) was the only factor predicting whether someone clicked a phishing link. The authors note that although staff may intend to follow security policies, busyness makes them click phishing links anyway.

In addition, healthcare email traffic is massive. One BMJ Health & Care Informatics study found that ~2–3% of all email/web traffic is flagged as suspicious, resulting in over 50 million potentially harmful messages annually. In short, email is a dominant communication path in healthcare, and attackers exploit it heavily. Vanderbilt University Medical Center concurs that “phishing continues to be one of the most highly utilized methods” to breach healthcare organizations.

Why attackers do not need a password

Modern SharePoint phishes often aim to harvest tokens, not passwords. Two key techniques are OAuth device-code phishing and AiTM attacks. In a device-code phish, the attacker tricks the user into completing a legitimate OAuth login flow. Once the victim enters the code, the attacker automatically obtains a valid OAuth access token for the user’s Microsoft 365 account, without ever seeing the password.

In late 2025, Microsoft research similarly observed a scaled-up AI-enabled device-code campaign (the EvilTokens PhaaS) that used automation to overcome the normal 15-minute expiration and harvest tokens at a large scale. The campaigns exploit OAuth flows: users believe they are authorizing an app but actually hand an attacker an OAuth token that grants access to their account.

The other big reason we do not need passwords is AiTM (session hijacking) attacks. In these attacks, the phisher uses a proxy site that intercepts the sign‑in. The user may even go to the real login page and enter credentials/MFA, but the attacker’s server sits in the middle and immediately captures the session cookie. The previously referenced Microsoft blog warns that in AiTM cases, “password reset is not an effective solution” because the attacker’s session is already active. Worse, the attacker can set up persistence by tampering with MFA. For example, it found attackers adding an extra MFA method (e.g., an OTP to the attacker’s phone) so they can still sign in even after a password reset.

Why spoofing is not isolated to email

Although the SharePoint server exploit affected on-premises environments rather than SharePoint Online, Paubox’s 2026 Healthcare Email Security Report shows why cloud tenants still cannot treat Microsoft 365 as low risk. The report found that 53% of healthcare email-related breaches in 2025 occurred on Microsoft 365, up from 43% in 2024, while 41% of breached organizations were assessed as high risk and 74% had ineffective DMARC protection. It supports the broader point: SharePoint Online may not have been vulnerable to this specific server-side exploit chain, but Microsoft 365 users remain exposed through phishing, spoofing, token theft, and compromised-account workflows.

Such attacks required no user email, just an unpatched SharePoint server. CISA has since added CVE‑2025‑49706 has been added to the Known Exploited Vulnerabilities catalog, and organizations are advised to disconnect or patch any unsupported SharePoint instances. SharePoint Online (in Microsoft 365) was not vulnerable to this chain.

The solution

Paubox can support healthcare organizations by reducing the email-based entry point that makes SharePoint spoofing so effective. The attacks often begin with a trusted-looking message, a familiar sender name, or a routine document-sharing workflow that encourages users to click before questioning the request. Paubox Inbound Email Security adds a protective layer by scanning incoming emails for phishing, malware, ransomware, suspicious links, malicious attachments, QR code threats, and impersonation attempts.

ExecProtect helps stop display name spoofing and employee impersonation, which are common tactics in SharePoint-themed lures. Paubox should be used alongside Microsoft 365 identity controls, phishing-resistant multifactor authentication, conditional access, mailbox rule monitoring, staff training, and prompt patching for on-premises SharePoint servers. In that layered model, Paubox helps block suspicious SharePoint-themed emails before they reach users, while its automatic outbound encryption helps protect sensitive healthcare communications when protected health information is sent by email.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures, a public identifier used to track known cybersecurity flaws.

What is remote code execution?

Remote code execution is a serious vulnerability that allows an attacker to run commands or malicious code on a system from a remote location.

What is improper authentication?

Improper authentication means a system does not properly verify who a user or system is, which can allow attackers to bypass normal access checks.