The digital landscape is a constant battleground, and even the most familiar tools can become weapons in the hands of malicious actors. A significant escalation in phishing activity has been observed, leveraging spoofed Microsoft SharePoint domains to ensnare corporate users with a sophisticated blend of social engineering and technical evasion. This surge, particularly evident between March and July 2025, highlights a worrying trend in advanced phishing tactics, including the deployment of “Sneaky2FA” techniques.

The Evolution of SharePoint Phishing Campaigns

While phishing attempts mimicking Microsoft SharePoint notifications are not new, the recent wave distinguishes itself through a marked increase in both volume and sophistication. Threat actors are no longer relying on easily detectable misspellings or glaring grammatical errors. Instead, they are meticulously crafting campaigns that bypass conventional security measures, presenting a significant challenge for organizational cybersecurity defenses.

Anatomy of a Sophisticated SharePoint Phish

These new campaigns demonstrate a higher level of technical prowess and deception. Key elements include:

• Look-Alike Domain Registration: Cybercriminals are registering highly convincing look-alike domains. Examples observed include “sharepoint-online-docs-secure[.]co” and “files-share-portal-m365[.]io.” These domains are designed to appear legitimate at first glance, mimicking official Microsoft URLs to instill a false sense of trust.
• Email Authentication Bypass: A critical differentiator of these attacks is their ability to embed these spoofed domains within emails that successfully pass Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) checks. This allows the phishing emails to bypass standard email gateway filters, landing directly in user inboxes and appearing as legitimate communications from a trusted source.
• Convincing Lure Tactics: The emails themselves are well-crafted, often mimicking notifications about shared documents, collaboration requests, or urgent file updates within SharePoint. This taps into the daily workflow of corporate users, increasing the likelihood of interaction.

Understanding “Sneaky2FA” Techniques

The reference to “Sneaky2FA” in the context of these attacks is particularly concerning. While the specific mechanism isn’t detailed in the provided source, “Sneaky2FA” generally refers to techniques employed by attackers to circumvent or exploit weaknesses in multi-factor authentication (MFA) systems. This could involve:

• MFA Prompt Bombing: Repeatedly sending MFA push notifications to wear down the user, hoping they will eventually approve a fraudulent login attempt out of frustration.
• Session Hijacking: Stealing active session tokens after a legitimate login, often by tricking users into entering their credentials on a malicious site that then relays them to the authentic service, capturing the session cookie in the process.
• Adversary-in-the-Middle (AiTM) Attacks: Setting up a proxy between the user and the legitimate service. The user interacts with the attacker’s proxy, which then relays credentials and MFA codes to the real service, effectively bypassing MFA. This often involves phishing kit services that handle the real-time relay of credentials and MFA challenges.
• Social Engineering for MFA Codes: Directly asking users for their MFA codes under false pretenses (e.g., “to verify your account”), although this is becoming less common as users gain awareness.

The successful implementation of such techniques renders MFA, a cornerstone of modern cybersecurity, significantly less effective, making these phishing campaigns exceptionally dangerous.

Remediation Actions and Proactive Defenses

Organizations must adopt a multi-layered approach to defend against these sophisticated SharePoint phishing attacks. Merely relying on traditional email filters is no longer sufficient.

• Enhance Email Gateway Security: Implement advanced threat protection features that go beyond SPF/DKIM checks, including sandboxing for suspicious links, URL rewriting, and AI-driven anomaly detection for email content and sender behavior.
• User Awareness Training: Conduct frequent and realistic phishing simulations. Educate users on the evolving nature of phishing, emphasizing the dangers of clicking unfamiliar links, verifying sender legitimacy, and scrutinizing domain names for subtle variations. Train them to report suspicious emails immediately.
• Implement Stronger MFA Solutions: Where possible, migrate away from SMS-based MFA to app-based TOTP (Time-based One-Time Password) or hardware security keys (e.g., FIDO2 CWE-285) which are significantly more resistant to phishing and AiTM attacks.
• Strict Access Control and Least Privilege: Limit access to SharePoint resources based on the principle of least privilege. Implement conditional access policies that factor in user location, device health, and risk levels before granting access.
• Monitor DNS and Certificate Transparency Logs: Proactively monitor Certificate Transparency logs and DNS records for suspicious domain registrations that mimic your organization’s legitimate assets. Early detection allows for proactive blacklisting.
• Security Information and Event Management (SIEM) and Extended Detection and Response (XDR): Leverage SIEM and XDR solutions to correlate logs from email gateways, identity providers, and network traffic for early detection of anomalous login attempts or post-compromise activity.
• Web Application Firewall (WAF) and Anti-Bot Solutions: Deploy WAFs and anti-bot solutions to protect web applications and identity portals from credential stuffing and automated phishing kit activities.

Tool Name	Purpose	Link
Proofpoint / Mimecast / Cofense	Advanced Email Security & Phishing Simulation	Proofpoint / Mimecast / Cofense
Microsoft Defender for Office 365	Email & Collaboration Security	Microsoft
Okta / Duo Security	Strong Multi-Factor Authentication (MFA) Solutions	Okta / Duo Security
Splunk / Microsoft Sentinel	SIEM/SOAR for Threat Detection and Response	Splunk / Microsoft Sentinel

Conclusion

The sharp increase in sophisticated SharePoint phishing, particularly those incorporating “Sneaky2FA” elements, underscores a critical imperative for organizations. Relying solely on technical controls at the email gateway is no longer sufficient. A robust defense strategy against these evolving threats must integrate enhanced technical security measures with comprehensive, continuous user education. Proactive monitoring, rapid incident response capabilities, and a shift towards more phishing-resistant MFA methods are essential to protect corporate data and maintain operational integrity against increasingly cunning adversaries.