The SharePoint Guest Link That Passed Every Authentication Check

A tax document notification arrived with SPF pass, DKIM pass, DMARC pass, a composite authentication score of 100, and an SCL of 1. The sender's mail server was protection.outlook.com. The link in the body resolved directly, with no intermediate redirects, to a host ending in sharepoint.com. TLS was valid, the server returned HTTP 200, and every URL-reputation feed in the gateway's stack had nothing to say about it. The investor opened the email, clicked the link, and was prompted to verify their identity before accessing the shared file. That prompt was the attack.

When the Platform Is the Threat Actor's Infrastructure

SharePoint's guest-sharing feature is designed to let organizations send external users a link to a document, then ask them to confirm their email address before access is granted. The flow is native, branded, and hosted entirely on Microsoft domains. Attackers have recognized that this Microsoft-controlled identity-verification step is indistinguishable from a credential-harvest prompt to any recipient who does not already know what a legitimate Microsoft guest-verification request looks like.

In this case, the sender used a taxinvestor@ address on an investment firm domain that passed full authentication. Whether the account was compromised or the attacker abused the tenant's guest-sharing permissions, the result was the same: a real SharePoint share notification, sent through Microsoft's own mail infrastructure, pointing to a real sharepoint.com URL loaded with long encoded query tokens, presenting a "Verify your identity" gate before the supposed tax document could be accessed.

MITRE ATT&CK T1566.002 (spearphishing link) classifies this delivery. The credential-collection phase maps to T1078 (valid accounts), because the attacker is harvesting credentials that could directly enable future account access, and is doing so using authenticated infrastructure that legitimate account activity already relies on.

The Behavioral Signature Hiding in Plain Sight

Two signals in this email contradicted each other. The greeting was generic, addressing the reader only as an investor, and made no use of the recipient's name. The shared filename was personalized to the recipient's full name. Generic salutation plus personalized artifact is a targeting tell: the attacker had the recipient's identity and built a lure around it, but either could not or did not inject that name into the greeting block.

The sending address was not independently verifiable. Investment relationships come with known contact histories. A first-contact taxinvestor@ address on a domain the recipient had no prior relationship with should raise questions in any human reviewer's mind, even if the authentication stamps are immaculate.

These signals do not appear in URL-reputation feeds. They do not trigger SPF or DKIM evaluators. They require a system that reads behavior: sender first-contact status, greeting-to-artifact personalization mismatch, encoded token volume in a trusted-domain URL. According to the Verizon 2026 Data Breach Investigations Report, 62% of breaches involve the human element, and phishing remains a primary initial-access vector. Cases like this one show why: the infrastructure is legitimate and the authentication is clean, so the human (or the system modeling human behavior) is the only remaining detection surface.

See Your Risk: Calculate how many threats your SEG is missing

Why the URL Did Not Help the Gateway

Standard gateway URL inspection looks for known-bad domains, typosquatted names, and reputation-flagged infrastructure. A URL on sharepoint.com fails all three tests in the gateway's favor. It is not a known-bad domain. It is not typosquatted. Microsoft infrastructure carries universal positive reputation.

The encoded query tokens embedded in the URL serve an additional purpose beyond SharePoint's normal document-routing. Long parameter strings with base64 or hex encoding are a common pattern in credential harvesting campaigns: they carry recipient-tracking identifiers that confirm which accounts actually clicked, validating targets for follow-on exploitation. A gateway that rewrites or follows the SharePoint URL sees Microsoft's own verification prompt and calls it clean.

The Microsoft Digital Defense Report 2024 documents the growing trend of attackers abusing Microsoft's own cloud services for phishing delivery, noting that brand-native platforms provide built-in trust that no attacker-registered domain can replicate. SharePoint guest links are a textbook case.

Treat Guest Access From Unverifiable Senders as Hostile

Detection here requires going beyond authentication verdicts and URL reputation. IRONSCALES Themis flagged the behavioral mismatch: first-contact sender, encoding anomalies in the SharePoint token, and the greeting-to-artifact personalization gap. The gateway, working from authentication and reputation alone, passed the message with an SCL of 1.

The CISA phishing guidance emphasizes that technical controls alone cannot stop social-engineering attacks delivered through legitimate infrastructure. The defensive recommendation is layered: restrict external guest sharing in Microsoft 365 administrative controls, enforce Conditional Access policies that challenge guest access from unfamiliar tenants, and deploy M365 augmentation that reads behavioral signals rather than relying on Microsoft's own authentication verdicts.

The IBM Cost of a Data Breach 2024 puts the average breach cost at $4.88 million. Attacks that bypass gateway controls entirely, using brand-native infrastructure, account for some of the hardest-to-detect initial access in that dataset.

Building a policy that defaults to treating any guest-access request from an unverifiable sender as suspicious, regardless of authentication pass/fail, is the operational change this attack pattern demands. Authentication tells you the mail server is real. It tells you nothing about whether the person who controlled that server intended you harm.

Credential harvesting protection for financial-services and investment-sector organizations must account for the fact that attackers now routinely operate through Microsoft's own infrastructure rather than around it.

Defanged IOC Table