Check Point Warns of 40,000 Finance-Themed Phishing Attacks

Threat actors have launched a large-scale phishing campaign impersonating SharePoint, DocuSign, and other e-signing services — sending more than 40,000 malicious emails designed to trick users into opening fake financial documents. 

The campaign, uncovered by Check Point researchers, highlights how easily attackers can mimic trusted file-sharing platforms to steal credentials and initiate fraudulent transactions.

“Attackers know that businesses live inside platforms like SharePoint and e-signing tools, so disguising phishing emails as trusted workflows gives them an immediate advantage,” said Dave Meister, Global Head of Managed Services at Check Point Software.  

He added, “As our digital processes become more automated, these scams scale even faster, bypassing human skepticism and exploiting the very systems organizations rely on to move quickly.”

Document Workflow Industries in the Crosshairs

Email is still the most common initial access vector, and sectors that rely heavily on contracts, invoices, and financial documents remain especially vulnerable to convincing impersonation attacks. 

The campaign targeted more than 6,100 organizations across the U.S., Europe, Canada, APAC, and the Middle East — many in industries where document workflows are central to daily operations, including consulting, technology, real estate, healthcare, finance, and government.

Impersonating SharePoint and E-Signing Tools at Scale

The attackers abused Mimecast’s secure-link rewriting feature, routing all malicious URLs through mimecastprotect[.]com — a domain many users and filters implicitly trust. 

This smokescreen allowed malicious links to bypass automated defenses while appearing legitimate in a user’s inbox.

The emails themselves were engineered to resemble real SharePoint or e-signature notifications. 

Attackers copied Microsoft logos, formatting conventions, headers, and standard call-to-action buttons like Review Document. 

They also spoofed display names such as “X via SharePoint (Online)” and “eSignDoc via Y,” mimicking the naming patterns of authentic services.

A related DocuSign-style variant used a different redirection method, flowing through Bitdefender GravityZone and Intercom’s click-tracking service. 

Unlike the primary attack, this variant fully hides the final phishing destination behind a tokenized redirect — making it even harder to detect, block, or investigate.

Phishing Attacks Hiding in Plain Sight

This campaign demonstrates a broader trend in phishing: attackers increasingly rely on legitimate infrastructure to lend credibility to malicious messages. 

By using open redirects, secure-link rewriting services, and trusted SaaS branding, adversaries reduce the visual and technical cues that typically alert users to danger.

Because the malicious links appear wrapped in known security tools, even experienced users may hesitate to question them. 

And while no CVE or software exploit is involved, the attackers weaponize social engineering and deception to achieve credential theft or unauthorized access — techniques that continue to drive successful phishing campaigns across industries.

How to Strengthen Your Phishing Defenses

Organizations facing increasingly sophisticated phishing campaigns must adopt a layered approach to defending their users and data.  

• Approach embedded links with caution and verify sender details, formatting inconsistencies, and mismatched email addresses before engaging.
• Hover over links to inspect the true destination and access documents directly through trusted platforms instead of email-provided URLs.
• Implement phishing-resistant MFA, apply least privilege, and enforce strong identity and access controls across all critical accounts.
• Strengthen email authentication with properly configured DMARC, DKIM, and SPF to reduce spoofing and impersonation risks.
• Deploy advanced email-security tools such as anti-phishing engines, URL filtering, behavioral analytics, sandboxing, and user reporting features.
• Conduct ongoing employee awareness training and regular phishing simulations that reflect modern redirect and impersonation techniques.
• Validate financial and document-approval workflows with out-of-band verification and monitor SaaS activity for unusual access or sharing behavior.

These steps help limit the blast radius and build cyber resilience.

When Trust Becomes an Attack Surface

This campaign underscores a growing reality: attackers don’t always need sophisticated exploits — sometimes all it takes is appearing legitimate. 

Phishing operations now routinely blur the line between authentic and malicious communication by abusing trusted cloud services, familiar branding, and everyday business workflows. 

As organizations rely on digital document exchanges and online transaction systems, these impersonation-based attacks are poised to accelerate. 

With attackers refining their ability to mimic routine financial and operational processes, even the most ordinary workflows can quickly become high-risk entry points.

In a threat landscape where trust can be easily forged, organizations must shift toward architectures that verify every interaction — core tenets of a zero-trust approach.