Menu
en
NederlandsEnglish
Cyber Safety: online safety and privacy
Cyber Safety: online safety and privacy
UTServicesLISACyber safetyBlogs

Spotting SharePoint Phishing

Watch Out for Document Requests!

Lately, we’ve seen a sharp rise in a very specific type of phishing. We’re talking about emails that look exactly like SharePoint or Microsoft 365 notifications. They can look pretty convincing because they often come from real accounts—though usually, those accounts have been hacked.

TL;DR – Feeling Doubtful? Check This First!

Did you get a notification about a shared document on SharePoint or OneDrive (like a payroll or HR file)? Ask yourself these questions before doing anything:

  • Am I expecting this document?
  • Does the sender actually match the content?
  • Is this normally shared via SharePoint, or should it be in a system like AFAS?

If you’re unsure:
Don't click any links, don't enter your password anywhere, and report the message to  cert@utwente.nl

 What does a phishing email like this look like?

Take a look at this example:

At first glance, it seems okay—the subject line mentions a University of Twente document. But the devil is in the details. In these types of emails, you'll often see:

  • A CC to an external email address:
    In this case, it’s sent to a random address at correounivalle.edu.co.
  • A disclaimer at the bottom:
    It might say the email was generated through another organization's Microsoft 365 account (like "Universidad del Valle")

 This is a massive red flag. If a message is about UT documents but comes from a different school or an unknown organization, stay far away.

How to recognize these phishing attempts?

1. Unexpected document requests

Out of the blue notifications that someone shared a file? Think for a second:

  • Did I expect this?
  • Do I know this person?
  • Does this file actually relate to my work or studies?

Note: A "payroll notice," invoice, or HR document without any context is almost always suspicious.

2. The sender and content don't match

Check if the sender makes sense.

  • Is a random student sharing an HR document?
  • Is an external account sharing internal files?
  • Does the name look familiar, but the email address is slightly "off"?

Remember: Even if the account is legit, it might be compromised.

3. Urgency or "Clickbait"

Attackers love to play on your emotions. They use urgent or curious subjects like "Payroll Notice," "Invoice," "Secure Document," or "Password Expiry" to get you to click without thinking.

4. A login page after clicking the link

If you click a link and immediately land on a login page, pay attention:

  • Check the URL?
  • Are you actually on a Microsoft or UT domain?
  • Did you have to log in again unexpectedly?

Phishing sites often look like the real Microsoft login page:

 

In the example above, the document is hosted on another university's environment, even though it claims to be a UT payroll file. That’s a clear sign it’s fake.

5. Does this fit the normal way of working?

Ask yourself: Is this how we usually do things?

  • For example: HR and salary info are usually shared via AFAS, not random SharePoint links.
  • Do you expect communication through a different platform and you suddenly recieve a SharePoint-link? Be extra alert.

What happens if you accidentally log in??

If you enter your details on a phishing page, the attackers get full access to your account. They’ll then use your account to send new phishing emails to your colleagues and fellow students. This is how the attack spreads like wildfire through the organization. We’ve even seen hacked accounts being used to send "free product" scams recently.

What should you do?

  • Do not click on links or attachments.
  • Never enter your password on suspicious pages.
  • Never approve an MFA request that you didn't start yourself
  • Report the suspicious email immediately.
  • Delete the message only after you've reported it.

By staying sharp, you're not just protecting your own account, you're keeping the whole UT community safe!

Close
Suggestions