Spoofed Microsoft SharePoint notifications have been a familiar lure for corporate users, but a wave of campaigns traced between March and July 2025 shows a sharp uptick in both volume and sophistication.
The operators register look-alike domains such as “sharepoint-online-docs-secure[.]co” and “files-share-portal-m365[.]io,” then embed them in convincing e-mails that pass SPF and DKIM checks, slipping past perimeter filters.
Once a recipient clicks, the chain quietly redirects through several disposable tracking hosts before presenting an almost pixel-perfect SharePoint login clone—complete with Microsoft Viva branding—to harvest credentials and session cookies.
Unlike earlier credential-harvesting kits, these pages immediately trigger a secondary prompt that mimics Microsoft’s push-based two-factor authentication (2FA). Victims are told that a “new sign-in attempt from Edge on Windows” needs approval.
If they comply, attackers intercept both password and one-time token in real time, allowing seamless access to SharePoint, Teams, and the wider M365 tenant.
Any.Run analysts identified the infrastructure after noticing identical JavaScript beacons calling back to cdn.alboompro[.]com/assets/js/auth2fa.js, a file hosted on Alboompro’s legitimate content-distribution network but abused through an unsecured upload endpoint.
These same analysts noted that the domains share a narrow registration window—often <24 hours before first use—suggesting automated orchestration.
DNS telemetry revealed that most domains resolve through bulletproof VPS providers in Eastern Europe, with a lifetime shorter than five days, hampering block-lists.
.webp)
This PDF doc illustrates the beaconing sequence captured during sandbox detonation.
Infection Mechanism: Real-Time Proxying of MFA Tokens
At the heart of the campaign is a transparent reverse-proxy written in Node.js that relays all victim traffic to Microsoft’s legitimate login endpoint while siphoning tokens.
The proxy injects two scripts: one that captures the loginfmt and passwd POST parameters and another that hooks the verificationPayload during the 2FA step.
The code fragment below, recovered from a live server, highlights the crucial intercept:-
proxy.on('response', (ctx, callback) => {
if (ctx.clientToProxyRequest.url.includes('/login')) {
const body = ctx.proxyToServerRequestBody.toString();
const creds = body.match(/loginfmt=(.?)&passwd=(.?)&/);
save(creds[1], creds[2]); // exfiltrate credentials
}
if (ctx.clientToProxyRequest.url.includes('/SecondFactorAuth')) {
const token = JSON.parse(ctx.proxyToServerResponseData).proof;
saveMfaToken(token); // steal 2FA token
}
return callback();
});Because the proxy maintains a live TLS session with Microsoft on the backend, every security header—including HSTS and Content-Security-Policy—appears intact to the browser, defeating most client-side anomaly scanners.
Furthermore, the script deletes its own deployment path after each session, leaving only ephemeral logs in memory, which vanish upon VPS re-imaging.
Early detection hinges on pattern-matching the SharePoint decoy URLs. A robust starter YARA rule released by Any.Run researchers flags the characteristic blend of /_layouts/15/start.aspx and the rogue 2FA script hash, providing SOC teams an immediate hunting handle.
Until identity providers adopt origin-bound tokens and mitigations such as Continuous Access Evaluation, organizations must combine domain age filtering with user-reported MFA fatigue indicators to reduce exposure to this fast-moving threat.
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now
link