SharePoint Phishing Campaign Exposes Its Own Template Placeholders

Most phishing campaigns work hard to appear legitimate. This one forgot to finish building itself. A SharePoint impersonation email delivered via SendGrid arrived with its template merge variables still visible in the rendered body: {CURRENT_DATE} and {RECIPIENT_DOMAIN_NAME} displayed as literal text where personalized content should have been. Despite this obvious construction error, the message passed SPF, DKIM, and DMARC checks cleanly.

The email was sent from noreply@sixcentpress[.]com using SendGrid infrastructure (IP 149.72.120[.]62, PTR s.wrqvtvpz.outbound-mail.sendgrid[.]net). It impersonated a Microsoft SharePoint notification with a "View page" call-to-action button. The CTA linked to a SendGrid click-tracking URL under url9106.sixcentpress[.]com, which redirected to a third-party landing page at hightechconstructinc[.]com.

This is a first-time sender to the target organization, and the sending domain has zero affiliation with Microsoft.

Inside the Broken Template

The technical execution reveals a phishing kit that automates campaign deployment across multiple targets. Template placeholders like {CURRENT_DATE} and {RECIPIENT_DOMAIN_NAME} are standard merge fields in mass-mailing frameworks. When the merge engine populates them correctly, each recipient sees a personalized date and their own organization's name, which makes the SharePoint notification look authentic. When it fails, the raw variable names appear, exposing the machinery.

The sending domain sixcentpress[.]com was registered at DreamHost in 2004 with a recent WHOIS update. Registrant details are privacy-protected. The domain was configured to authorize SendGrid for delivery: SPF passed for the sending IP, DKIM was signed with d=sixcentpress[.]com, and DMARC passed with composite authentication confirmed.

The return-path (bounces+3963409-6ce3-[recipient-encoded]@em3237.sixcentpress[.]com) follows SendGrid's standard bounce-handling format, encoding the recipient address in the local part. This is how SendGrid tracks delivery per-recipient, but it also means the return-path leaks information about the target.

The message loaded images from mixed third-party domains (social media icons for platforms like Facebook and Twitter), which is common in bulk marketing templates repurposed for phishing. The visual design mimicked Microsoft SharePoint notifications, complete with the "View page" button styled to match Microsoft's UI patterns.

The unreplaced placeholders are a forensic gift. They confirm this is a template-driven mass campaign, not a targeted spearphishing operation. They also reveal the intended personalization strategy: the kit was designed to insert the current date and the target organization's domain into the email body, which would have made the SharePoint notification appear specific to the recipient's company. The merge failure turned a potentially convincing impersonation into an obvious fake.

The click-tracking URLs are the primary attack vector. The url9106.sixcentpress[.]com/ls/click?... redirect chain ultimately lands on hightechconstructinc[.]com, where automated page analysis returned a "partial" verdict. This intermediate redirect is the reason URL scanners that only evaluate the initial domain often miss the threat: sixcentpress[.]com is not on most blocklists, and the final destination only resolves after following the redirect.

See Your Risk: Calculate how many threats your SEG is missing

MITRE ATT&CK Mapping

• Phishing: Spearphishing Link (T1566.002): The email contains a "View page" CTA that redirects through click-tracking infrastructure to a credential-harvesting landing page. MITRE Reference
• Impersonation (T1656): The message impersonates Microsoft SharePoint notifications using branded visual elements while originating from an unaffiliated domain. MITRE Reference

How Adaptive AI Catches Broken Campaigns

A traditional SEG sees valid SPF, DKIM, and DMARC results and makes a binary pass/fail decision. The template placeholders, the domain-brand mismatch, and the redirect chain all require contextual analysis that goes beyond authentication.

Themis, the IRONSCALES Adaptive AI, evaluates the relationship between the sending domain and the impersonated brand, detects template artifacts in message bodies, and traces redirect chains through intermediary domains. When the sending domain has no historical association with Microsoft but the visual content mimics SharePoint, the mismatch becomes a high-confidence signal.

The IRONSCALES community-driven threat intelligence network compounds this signal. When multiple organizations report similar SharePoint impersonation patterns from the same sending infrastructure, the collective data accelerates blocking for all protected mailboxes. Research shows that 67.5 phishing emails per 100 mailboxes per month bypass traditional secure email gateways, and brand-impersonation campaigns like this one account for a significant share.

Hardening Recommendations

1. Inspect template artifacts. Unreplaced merge variables in an email body are a definitive indicator of a mass phishing campaign. Train SOC analysts to recognize common placeholder patterns.
2. Trace redirect chains. Do not evaluate URLs at face value. Follow click-tracking redirects to their final destination before making a verdict.
3. Correlate sending domain to claimed brand. Any email impersonating Microsoft that originates from a non-Microsoft domain warrants immediate escalation, regardless of authentication results.
4. Block or flag SendGrid click-tracking from unknown senders. If your organization does not have a business relationship with the sending domain, SendGrid tracking URLs from that domain should be treated as suspicious.
5. Report and share. Submitting these campaigns to community-driven threat intelligence platforms ensures that other organizations benefit from early detection.

Indicators of Compromise