Trusted Sender, Real Risk: How a SharePoint Phishing Email Slipped Through This Morning

This morning a client received a SharePoint link from a legitimate contact, followed the login flow, and triggered a phishing-style compromise attempt. Here’s what happened, what we did, and why trusted-source attacks can still bypass basic email filtering.

Garry BloomGarry Bloom · Founder & Senior IT Manager
25 March 2026
5 min read
CyberSecurity
Microsoft365
SharePoint
SmallBusinessIT

This morning, one of our clients experienced a phishing attempt that’s becoming far more common and far more convincing.

The email didn’t come from a random address full of spelling mistakes or obvious red flags. It came from one of their own clients — a legitimate, trusted sender. That’s what made it dangerous.

At first glance, the message looked normal. It included a SharePoint link, which is something many businesses use every day for file sharing and collaboration. Because the sender was known and the request looked familiar, the user followed the link. From there, they were presented with another link, and the process escalated quickly.

The page then prompted the user through what appeared to be a standard Microsoft login flow. A Microsoft verification code was sent to the user’s email address, which made the whole interaction feel even more legitimate. To the end user, that can look like proof that the process is genuine. In reality, that extra step is often what gives attackers the opening they need. Once the user enters the code or completes the sign-in process on a fake or manipulated page, the attacker can capture credentials, session tokens, or use the approved login to attempt access immediately.

And then — bang.

That’s the moment where a normal business task turns into a potential account compromise.

After the incident was identified, we moved quickly. We signed the impacted user out of their Microsoft 365 sessions, reset the password, forced MFA re-registration, and reviewed the sign-in logs. Fortunately, in this case, there was no evidence of risky login activity or successful malicious access showing in the logs, which is the best outcome you can hope for in a situation like this.

We also contacted the original sender. They confirmed they were already aware of the issue and were taking action, which strongly suggests their environment or account had already been compromised and was being used as a trusted launch point for phishing emails.

This is exactly why modern phishing is so difficult to stop with basic email filtering alone.

A lot of business owners ask a fair question after incidents like this: “Why didn’t the system pick it up in the first place?”

The answer is simple, but uncomfortable. The message came from a legitimate source. It wasn’t a spoofed domain failing authentication checks. It wasn’t an obviously malicious attachment. It was sent from a real account that already had trust, reputation, and likely valid Microsoft infrastructure behind it. In other words, many traditional security controls see this as normal traffic until user behavior or deeper identity signals suggest otherwise.

That doesn’t mean security failed. It means email security on its own is no longer enough.

Today’s attacks often rely on trust hijacking rather than obvious malware. Attackers compromise one business account, then use that account to target partners, suppliers, and customers. That lets them bypass the first layer of skepticism because the email relationship already exists. The phishing page may also sit behind legitimate services or mimic genuine Microsoft workflows closely enough that users do not immediately spot the difference.

This is where layered identity security becomes critical.

If strong protections are in place around the login itself, the damage can often be stopped even after the user clicks. Conditional Access policies, impossible travel detection, risky sign-in detection, MFA strength requirements, session controls, token protection, and stricter controls on unmanaged devices can all help break the attack chain. In other words, even if the email gets through, the login attempt can still be challenged, blocked, or contained before access is gained.

That’s the real lesson from this morning.

Security today is not just about blocking bad emails. It’s about assuming that some malicious messages will get through — especially when they come from trusted businesses — and making sure your identity and access controls are strong enough to stop the next step.

For small and mid-sized businesses, that’s where the conversation needs to shift. The question is no longer, “How do we stop every phishing email?” The better question is, “If someone clicks, what stops the attacker from getting in?”

That single change in mindset is what separates basic protection from resilient protection.

If your team uses Microsoft 365, this is worth reviewing in your environment today:

  • Conditional Access policies

  • MFA method strength and re-registration controls

  • Sign-in risk and user risk policies

  • Session sign-out and token revocation capability

  • User phishing awareness training

  • Monitoring for suspicious SharePoint and file-sharing activity

  • Alerting for abnormal login behaviour

The good news is this incident appears to have been contained quickly, and the early checks showed no risky sign-ins. But it’s still a strong reminder that trusted channels can be abused, and “known sender” no longer means “safe sender.”

If this sounds like your current setup, I’m happy to help you tighten it up.

What’s more concerning in your view today — the phishing email itself, or how convincing the fake Microsoft login process has become?

Garry Bloom
Written by
Garry Bloom
Founder & Senior IT Manager · 25+ years in IT

Garry founded Computer Mechanics — the business behind IT Support Perth — in 1997. With more than 25 years in IT management and support across internal and external service environments, he leads the team's technical direction and its cybersecurity and managed-IT strategy for Perth businesses.

Meet the IT Support Perth team →
Garry Bloom
25 March 2026
5 min read
CyberSecurity
Microsoft365
SharePoint
SmallBusinessIT

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
Why Reinstalling Windows Won’t Fix a Hijacked Account
CyberSecurity
ITSupportPerth

Why Reinstalling Windows Won’t Fix a Hijacked Account

System got hacked & reinstated Windows, but attackers stayed logged in. Learn why fresh installs don't fix hijacked accounts and the 6-step process to secure your accounts: sign out of all devices, reset passwords, and re-register

5 min read
6/4/2026