SharePoint File Sharing Abuse with CAPTCHA Evasion

17 October 2025

By Mimecast Threat Research Team

Campaign Overview

The Mimecast Threat Research team has identified an active credential harvesting campaign that abuses Microsoft SharePoint file sharing functionality to deliver phishing attacks. The attack begins with emails originating from compromised Microsoft 365 accounts, lending immediate credibility to the malicious messages. Recipients receive what appears to be legitimate SharePoint document sharing notifications, often from known contacts within their organization or business network. This social engineering approach significantly increases the likelihood of user engagement.

What sets this campaign apart is its implementation of a novel evasion technique requiring users to hold the Ctrl key while clicking the "VIEW DOCUMENT" button. This seemingly innocuous instruction prevents automated security tools from following the attack chain. The requirement appears as "PLEASE HOLD CTRL BUTTON ON YOUR KEYBOARD AND CLICK VIEW DOCUMENT TO ACCESS," mimicking common browser security features. Following the initial SharePoint interaction, users are redirected through a carefully orchestrated attack sequence. The next stage presents a fake Cloudflare CAPTCHA verification page displaying "One more step before you proceed..." with a "Verify you are human" checkbox.

 This technique mirrors sophisticated CAPTCHA-based phishing approaches documented in previous threat research, where attackers leverage users' familiarity with legitimate verification processes to maintain credibility. The final stage delivers users to a convincing Microsoft 365 credential harvesting page hosted on Cloudflare Workers infrastructure using the workers.dev domain.

 The page closely mimics legitimate Microsoft authentication interfaces, complete with proper branding and familiar sign-in prompts. Once credentials are entered, the information is immediately exfiltrated to attacker-controlled infrastructure. This campaign represents an evolution in file sharing service abuse, combining multiple evasion techniques that have proven effective in recent threat operations. The use of compromised accounts for initial distribution, combined with sophisticated redirect chains and fake verification steps, creates a highly convincing attack vector that can bypass both technical controls and user awareness.

Mimecast Protection

Mimecast has implemented detection capabilities to identify SharePoint-based phishing campaigns.

Targets: Predominately UK and AU in Legal and real estate industries

Indicators of Compromise (IOCs)

Malicious Redirect URL:

• Dc30a73e.5f93bf50338cd44ab291cddf[.]workers[.]dev
• Fd8b81ca.a61092f8bcd7e61d9ee47a62[.]workers[.]dev
• 608ebb5a.4cef7aca337e6933f8cce00e[.]workers[.]dev/
• 4b2acec0.e1043c97f7f849c0610ee661[.]workers[.]dev/
• 2a20d8a4.790295142856360d9b270379[.]workers[.]dev/

Recommendations

User Security Awareness Training

• Educate users about SharePoint sharing abuse and unusual access requirements
• Train staff to recognize fake CAPTCHA verification pages, particularly those requesting human verification before accessing shared documents
• Conduct phishing simulations that include SharePoint document sharing scenarios with multi-step verification processes

Threat Hunting:

• Search email receipt logs and URL logs for technical indicators associated with these campaigns