A large scale phishing operation has reached thousands of organisations worldwide, with researchers reporting that more than 6,000 entities were targeted in just two weeks. The campaign copied the appearance of popular digital document platforms to trick users into clicking malicious links that stole login credentials.
Researchers at Check Point Research said the phishing emails were designed to look like genuine alerts from services such as SharePoint and DocuSign. The messages used familiar layouts, subject lines, and logos to appear routine, making them difficult to spot as fraudulent. These platforms are commonly used across banking, insurance, real estate, consulting, and other industries that depend on document sharing and signing.
The investigation found more than 40,000 phishing messages across the U.S., Europe, Canada, Asia, Australia, and the Middle East. Most targets were in consulting, tech, and real estate, but the attacks also reached healthcare, energy, education, and government sectors. These industries frequently exchange documents, which made the deception more convincing.
A major tactic behind the attack was redirect cloaking. The phishing links were routed through Mimecast’s URL rewriting service, which is typically used to protect users from harmful sites. Attackers misused this feature to make their links appear safe. Because Mimecast is a well known cybersecurity platform, the rewritten links did not easily raise suspicion among email systems or recipients.
Another version of the attack impersonated DocuSign notifications using a different method. In this variation, the attackers used the infrastructure of Bitdefender and Intercom to wrap their phishing links and hide the true destination. Both techniques were designed to direct users to fake pages where they would unknowingly enter sensitive information.
The phishing emails were visually convincing. Some used display names such as “X via SharePoint (Online)” or “eSignDoc via Y,” while others used generic names like “SharePoint.” The embedded buttons and headers matched real platforms closely, increasing the chance that busy employees would click without caution.
Mimecast responded to the findings and stated that no technical flaw in its systems was exploited. The attackers only used its redirect feature to cover malicious URLs. The company said its systems continue to scan and block harmful links at delivery and at the moment a user clicks. It also pointed to an in depth analysis of similar phishing tactics available on its platform.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
