Cyna
Cybersecurity news · 1 min read

Advanced phishing: how a stealth attack hijacks Microsoft SharePoint and Cloudflare

This quarter, our analysts identified a highly targeted phishing operation leveraging Microsoft SharePoint and Cloudflare Workers to spread silently across.

Advanced phishing - Microsoft Sharepoint and cloudflare

An advanced phishing campaign detected by our team

This quarter, our analysts identified a highly targeted phishing operation leveraging Microsoft SharePoint and Cloudflare Workers to spread silently across organisations.

Why this attack is a real concern

  • Exploitation of inter-company trust: an initially compromised account is used to target its professional contacts.
  • No classic phishing indicators: attackers use genuine Microsoft file shares to establish trust. The malicious content is hosted on the SharePoint of a compromised organisation.
  • Precise targeting: only corporate domains were targeted, with a focus on senior executives and accounts with high privileges.
  • Subversion of Microsoft controls: the malicious link redirects to a Cloudflare Worker that dynamically loads a Microsoft authentication page hosted on a compromised WordPress site, creating a near-transparent phishing flow.

Diagram of the phishing campaign abusing Microsoft SharePoint and Cloudflare Workers

Silent, resilient and hard to detect

The campaign uses a layered infrastructure that obscures the attackers’ command and control. This approach allows the threat actors to:

  • Evade EDR and reputation-based network filters.
  • Propagate quietly across organisations via SharePoint and OneDrive sharing.
  • Thwart automated scanning and simple detection heuristics.
  • Capture credentials and session tokens in real time.

A level of sophistication consistent with organised groups

Observed TTPs suggest experienced threat groups or phishing-as-a-service operators. Notable techniques include:

  • Adversary-in-the-Middle (AiTM) credential capture.
  • HTML smuggling to deliver payloads or credential harvesters without easy detection.
  • Use of bulletproof hosting and compromised CMS instances to host credential collection pages.

Taken together, these elements indicate a step change in the complexity of targeted phishing aimed at businesses.

Immediate recommendations for MSPs and security teams

  • Monitor any suspicious external sharing of documents on SharePoint or OneDrive, even if it comes from trusted contacts.
  • Block access to Cloudflare Workers domains that are not actively used within your organisation.
  • Train users to detect early warning signs such as unusual Microsoft pages or inconsistent URLs.
  • Reset passwords, multi-factor authentication (MFA), and active sessions on any account showing signs of compromise.

Related reads Cybersecurity news.

All · Cybersecurity news →
Cybersecurity news
The 3 weak signals an EDR cannot see without a SOC
5min · Dec 31, 2025
Cybersecurity news
The key roles and responsibilities in a SOC (Security Operations Center)
4min · Oct 16, 2025
Cybersecurity news
What is a SOC? Definition and how it works
5min · Oct 14, 2025
Ready to sign

The SOC your clients
will ask for tomorrow.

Let's plug in your first line in 30 minutes. Personalised demo, quote within 24h, end-to-end human support.

Become a partner Schedule a demo
Reply within 24hISO 27001 certified24/7 managed SOC