Video not loading? Watch on the original ThreeShield page →
Why This Attack Succeeds
Traditional phishing relies on convincing impersonation. This attack is more insidious: it uses real legitimate services and, in most cases, real compromised accounts of people the victim actually knows. The Microsoft 365 notification is genuine. The sender's name is real. The victim has no reasonable basis for suspicion.
How the Attack Unfolds
- Attacker obtains credentials from a breach database or credential stuffing - targeting an account without MFA
- Attacker logs in quietly and monitors communications for financial context: invoices, payment discussions, client relationships
- Attacker creates a fraudulent shared document that fits the context - a fake invoice, updated contract, or urgent document
- Victim receives a real Microsoft 365 / SharePoint notification saying their contact shared something with them
- Victim clicks, enters credentials on a fake Microsoft login page, or downloads a malicious document
Why ThreeShield Clients Were Protected
Clients with location-based access restrictions, trusted device requirements, MFA, and active monitoring were fully protected - the attacker couldn't complete step 1 (logging in) because the account had controls that a stolen password alone could not bypass. Lavawall® would have also alerted on the unusual login and new device registration before the attack progressed.
Protecting Your Organization
- Enable MFA on all Microsoft 365 and Google Workspace accounts - immediately
- Implement Conditional Access policies that restrict login to known locations and registered devices
- Deploy Lavawall® or equivalent M365/Google Workspace monitoring to detect account compromise in real-time
- Include this specific attack technique in security awareness training - most staff have never seen it demonstrated
- Configure Microsoft Defender for Office 365 Safe Attachments to inspect shared documents