You know to be suspicious of emails containing strange links and unexpected attachments. But what happens when you receive a file shared through legitimate and trusted sites like Sharepoint or OneDrive, especially when you use these products every day?
That’s exactly how attackers are trying to bypass spam filters and trick advisers – sending emails through legitimate sites to obscure malicious files. If you click to view, it will often collect your login details or prompt you to download a malicious file.
This type of attack has been around for a while, with the Cyber and Fraud Centre Scotland sharing examples of this attack in 2024.
However, Microsoft has recently uncovered a multi-stage phishing campaign where criminals are using trusted Microsoft tools, like SharePoint and OneDrive, to lure victims into handing over their login credentials and, in some cases, helping them steal money through business email compromise (BEC).
We’ve seen this trend in Parmenion. Our teams often report emails they’ve received from genuine adviser accounts that have been compromised and used to send “file sharing” invitations. Once you know how to spot this type of attack, it’s easy to avoid falling for it:
1. There will be no personalised greeting or reference to you by name (because the email has gone to all contacts).
2. The To and From field will often have the same email address (of the person whose account has been hacked
3. The file being shared with you with be vaguely named, such as ‘New Proposal’, aiming to pique your interest.
What’s happening
Instead of sending malicious files or links directly to your inbox, which are often blocked by spam filters, attackers use genuine document sharing sites, like SharePoint to send authentic looking “file sharing” invitations. The emails come from real Microsoft domains, making them almost impossible to spot at first glance. However, attackers embed phishing links within the document being shared.
When the target clicks to access the document, they’re often presented with another link, and taken to a fake Microsoft 365 login page that looks identical to the real one.
Once credentials are entered, attackers intercept them in real-time using Adversary-in-the-Middle (AiTM) techniques, effectively stealing login details and session tokens, even when multi-factor authentication is enabled.
NB: Session tokens are what allows a website to remember who you are while you’re browsing, keeping you logged in throughout the ‘session’.
The stolen credentials are then used to hijack inboxes and send out further phishing emails, monitor conversations to identify high worth targets, and impersonate advisers or clients to initiate fraudulent transactions.
Why this matters for advisers
Financial advisers are prime targets because they regularly handle client financial and personal data and are likely to discuss confidential matters over email. Attackers know that an email from your inbox carries instant credibility.
Once inside your mailbox, they can:
- Send phishing emails to your contacts, both within andoutside of your organisation
- Create inbox rules to evade detection, such as marking all incoming emails as read
- Respond to emails from your contacts falsely confirming their emails are legitimate, and then deleting them from your mailbox to keep you unaware of their access
- Pose as you or your clients to authorise or request payments
- Redirect invoices and transfer requests
- Steal sensitive client data for further exploitation
And because the entire attack chain uses legitimate Microsoft infrastructure, these scams often slip past spam filters and security tools, making human awareness the most important line of defence.
How to protect yourself and your clients
Here’s how to stay safe against this new generation of phishing:
1. Double-check every link, even Microsoft ones.
Hover over “View Document” or “Open File” links and confirm the URL starts with https://sharepoint.com/ or https://onedrive.live.com/ – not a slightly altered version.
2. Don’t log in through pop-ups or embedded windows.
Always open Microsoft 365 directly in your browser or via your firm’s secure login portal.
3. Report suspicious file shares.
If something feels off, especially if a file share or client request arrives unexpectedly, flag it to your security team or verify it by phone before opening.
4. Educate clients too.
Let them know that your firm will never request sensitive information or payments through file-sharing links without prior confirmation.
5. Be cognisant of vague emails.
Not greeting you by name, not providing information on why the file has been sent, and the same email used across the To and From field are clues to spot this type of attack.
Final thought
Hackers are no longer just sending fake invoices or dodgy attachments - they’re exploiting the tools you trust the most.
As advisers, awareness and scepticism are your best defences. Before you click that next SharePoint link, stop and think: was I expecting this?
A few extra seconds of caution could save you and your clients from a costly breach.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
