A phishing campaign impersonating digital document platforms has reached more than 6,000 organisations in just two weeks, according to researchers at Check Point Research (CPR).
This phishing campaign used emails that were prepared to look like legitimate notifications from services like SharePoint and DocuSign, tricking recipients into clicking links that led to credential theft pages.
File-sharing and e-signing tools are part of daily operations for industries like banking, insurance, real estate, and consulting. By copying the style and tone of trusted platforms, the phishing messages appeared routine enough to pass as real. The subject lines, formatting, and even logos matched what users might expect from a legitimate alert.
Check Point researchers tracked over 40,000 phishing messages across the U.S., Europe, Canada, Asia, Australia, and the Middle East. Most targets operated in consulting, tech, and real estate, but the campaign also reached into healthcare, energy, education, and government sectors. These industries rely heavily on document exchanges, making the bait especially believable.
One key tactic used in the attack was redirect cloaking. The phishing links were routed through Mimecast’s URL rewriting service, which is often used to protect users from harmful websites.
In this case, attackers abused the system to make their links look trustworthy. Since Mimecast is a known cybersecurity platform, the rewritten links were less likely to trigger alarms either from email filters or the people reading the messages.
Another variation mimicked DocuSign notifications using a different path. Instead of Mimecast, the attackers used Bitdefender and Intercom’s infrastructure to wrap their links, hiding the real destination more effectively. In both versions, the goal was the same lead the user to a page where they would unknowingly hand over login details or sensitive information.
The visual design of the phishing emails was sharp enough to fool many. Some messages came from fake display names like “X via SharePoint (Online)” or “eSignDoc via Y,” while others used generic names like “SharePoint.” Embedded buttons and headers mirrored real services. The sender banked on the idea that a busy employee would click before thinking twice.
Mimecast previously responded and also clarified for the latest campaign that no technical flaw in its systems was exploited. The attackers used its redirect feature to mask URLs but didn’t breach any security mechanisms.
Mimecast emphasised that its systems do scan and block malicious links both at delivery and when clicked. The company also referenced a more comprehensive analysis of similar phishing tactics available on its own platform.