Researchers at Check Point, a pioneer and global leader in cybersecurity solutions, have discovered a phishing campaign in which attackers pose as file-sharing and electronic signature services to send financially-themed lures disguised as legitimate notifications.
The hyperconnected world has made it easier than ever for businesses and consumers to exchange documents, approve transactions, and complete critical financial workflows with a simple click. Digital file sharing and electronic signature platforms, widely used in banking, real estate, insurance, and everyday business operations, have become essential to the rapid functioning of modern organizations. This convenience also creates an opportunity for cybercriminals.
In this campaign, Check Point Harmony Email telemetry data shows that over 40,000 phishing emails targeting approximately 6,100 companies have been sent in recent weeks .
All malicious links were routed through the address https://url.za.m.mimecastprotect.com , increasing users’ trust by playing familiar redirect streams.
Because Mimecast Protect is a trusted domain, this technique helps malicious URLs evade both automatic filters and user suspicion. To enhance credibility, the emails copied the service’s official images (Microsoft and Office product logos), used service-style headers , footers, and “Review Document” buttons, and spoofed display names such as ” X via SharePoint (Online),” “eSignDoc via Y,” and “SharePoint ,” which closely mimicked authentic notification templates.
In addition to the large SharePoint/e-signing campaign, researchers also identified a smaller but related operation that mimics DocuSign notifications . Like the main attack, this one impersonates a trusted SaaS platform and leverages legitimate redirection infrastructure, but the technique used to disguise the malicious target is significantly different.
In the main campaign, the secondary redirect acts as an open redirect, leaving the final phishing URL visible in the query string despite being wrapped in trusted services. In the DocuSign-themed variant, the link passes through a Bitdefender GravityZone URL and then through Intercom’s click-tracking service, with the real landing page completely hidden behind a tokenized redirect. This approach completely hides the final URL, making the DocuSign variant even more elusive and difficult to detect .
The campaign primarily targeted organizations in the United States (34,057), Europe (4,525), Canada (767), Asia (346), Australia (267), and the Middle East (256), focusing particularly on the consulting , technology , and construction/real estate sectors, with additional victims in the healthcare , financial services , manufacturing , media and marketing , transportation and logistics , energy , education , retail , hospitality and travel , and government sectors. These sectors are attractive targets because they regularly exchange contracts, invoices, and other transactional documents, making file sharing and identity theft via electronic signatures highly convincing and more likely to be successful.
Similar phishing campaigns have been reported in previous years, but what makes this attack unique is that it shows how easy it is for attackers to mimic trusted file-sharing services to trick users, and it highlights the need for ongoing awareness, especially when emails contain clickable links, suspicious sender details, or unusual content in the message body.
Organizations and individuals must also take proactive measures to reduce risk. Some ways to protect yourself include:
The attack campaign described by Check Point leveraged legitimate URL redirection services to hide malicious links, not a Mimecast vulnerability. The attackers abused trusted infrastructure, including Mimecast’s URL rewriting service, to disguise the true destination of the phishing URLs. This is a common tactic where criminals exploit any recognized domain to evade detection.
” Mimecast customers are not susceptible to this type of attack ,” says a Mimecast representative. ” Mimecast’s detection engines identify and block these attacks. Our URL scanning capabilities automatically detect and block malicious URLs before delivery, and our URL rewriting service inspects links on click, providing an additional layer of protection that catches threats even when they’re hidden behind legitimate redirect chains. We continue to enhance our protections against evolving phishing techniques. Customers can view our 2024 analysis of similar campaigns at https://www.mimecast.com/threat-intelligence-hub/phishing-campaigns-using-re-written-links/ . We appreciate Check Point sharing their findings through responsible disclosure .”
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
