SPF passed. DKIM passed. DMARC passed. The embedded SharePoint link scanned clean. The email template was a pixel-perfect Microsoft 365 sharing notification. Every automated signal said "safe."
A human analyst disagreed. The person named in the "From" field could not be verified as an actual employee of the sending firm. That single contextual anomaly was the only thing separating this message from a legitimate document share.
The email arrived at a global forensic consulting firm, targeting an employee by name. The subject line followed the standard Microsoft SharePoint sharing format, and the body was the exact template Microsoft generates when a user shares a OneDrive file.
The sending domain had been registered since 2006. WHOIS confirmed it belonged to a small Southeastern U.S. law firm. The M365 tenant matched the firm's domain, and DNS tied the SharePoint hostname to Microsoft infrastructure.
The sender IP ([2a01:111:f403:c101::7]) was a Microsoft outbound relay authorized by the firm's SPF record. DKIM verified against a valid signature for the tenant's onmicrosoft.com domain. DMARC returned bestguesspass with compauth=pass reason=109. Every relay in the delivery chain was a Microsoft datacenter host traversing protection.outlook.com. Nothing in the transport path raised a flag.
The SharePoint URL embedded in the email pointed to a personal OneDrive folder:
hxxps://[redacted-firm]-my[.]sharepoint[.]com/:o:/g/personal/[redacted]/[redacted]
Automated link scanners evaluated this URL twice. Both returned status: Clean and verdict: clean. The domain resolved to Microsoft SharePoint infrastructure. Hosting, DNS, TLS certificate: all legitimate.
This is the clean link problem. The URL itself is not malicious. The malicious content sits behind the link, gated by authentication or deployed after the scan window closes. Microsoft's 2024 Digital Defense Report confirms attackers increasingly exploit trusted cloud services as hosting infrastructure because automated scanners treat Microsoft-owned domains as safe.
The Verizon 2024 DBIR found phishing remains the top initial access vector, with credential harvesting as the dominant objective. SharePoint lures are effective because recipients use the platform daily for legitimate file sharing.
| Technique | ID | Application |
|---|---|---|
| Spearphishing Link | T1566.002 | SharePoint URL embedded in Microsoft sharing template delivered via email |
| Impersonation | T1656 | Sender identity claimed affiliation with a legitimate law firm. No public records confirmed the named individual as an employee |
| User Execution: Malicious Link | T1204.001 | "Open" button CTA designed to drive click-through to SharePoint-hosted content |
IRONSCALES Themis, the platform's adaptive AI engine, flagged the message at 65% confidence. Every technical signal was legitimate, so the AI could not push higher. The detection signal that mattered was contextual, not technical.
The named sender did not appear in any public records or professional listings tied to the law firm. The message carried a first-time sender flag with risk_level: high. A forensic consulting firm receiving an unsolicited document share from an unverifiable contact at a small law practice does not match normal business patterns.
A human analyst reviewed the case and manually classified it as phishing. The mailbox was quarantined within four days of delivery.
The FBI IC3 2024 report documented $2.9 billion in BEC losses, with law firm impersonation among recurring themes. The IBM Cost of a Data Breach 2024 report found phishing-initiated breaches averaged $4.88 million. When the infrastructure is clean, the human judgment layer is the last line of defense.
See Your Risk: Calculate how many threats your SEG is missing
| Indicator | Type | Context |
|---|---|---|
[redacted-firm]-my[.]sharepoint[.]com | Domain | SharePoint personal OneDrive hosting the shared document |
[redacted-firm][.]onmicrosoft[.]com | Domain | DKIM signing domain for the sending tenant |
[2a01:111:f403:c101::7] | IPv6 Address | Microsoft outbound relay, SPF-authorized sender IP |
southcentralusr-notifyp[.]svc[.]ms | Domain | Microsoft tracking pixel endpoint embedded in message body |
compauth=pass reason=109 | Auth Signal | Composite authentication pass via Microsoft's anti-spoofing framework |
First-time sender, risk_level: high | Behavioral | No prior communication history with the recipient organization |
Legitimate cloud tenants provide perfect cover. Authentication passes because the infrastructure is genuinely authorized. Link scanners return clean because the hosting platform is trusted.
The defensive response is not "block Microsoft SharePoint." It is layered detection that combines automated signals with human judgment for the cases where automation reaches its limit. First-time sender analysis, identity verification, and business relationship matching caught this attack. None of those signals are available to a traditional secure email gateway.
CISA's advisory guidance emphasizes that organizations should not rely solely on authentication protocols as indicators of legitimacy. SPF, DKIM, and DMARC verify infrastructure, not intent. When the infrastructure is clean, intent is the only thing left to evaluate. That requires a human.