Credential Phishing Campaigns Exploiting E-Signature and Note-Sharing Platforms
A widespread phishing campaign has targeted over 6,000 organizations across multiple sectors by impersonating trusted digital document platforms such as SharePoint and DocuSign. Attackers crafted emails that closely mimicked legitimate notifications, using authentic-looking subject lines, formatting, and logos to deceive recipients. The phishing links were obfuscated through services like Mimecast, Bitdefender, and Intercom, making them appear trustworthy and bypassing security filters. The primary objective was to lure users into credential theft pages, with industries such as consulting, tech, real estate, healthcare, and government being heavily targeted due to their reliance on document exchanges.
In a related tactic, threat actors have begun abusing the NoteGPT platform, an AI-powered note-sharing service, to host malicious files and further disguise phishing attempts. Victims receive emails that appear to be secure document notifications from familiar brands like Microsoft OneDrive, but the links redirect to NoteGPT-hosted phishing pages. These emails often spoof legitimate company addresses and use plain, routine subject lines to avoid suspicion. Once users attempt to access the fake documents, they are prompted to enter their credentials, which are then harvested by the attackers. Both campaigns highlight the increasing sophistication of phishing operations leveraging trusted platforms and services to evade detection and compromise professional accounts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Mimecast says its systems were not breached in phishing abuse case
Mimecast stated that its environment was not compromised despite attackers using its link-rewriting and redirect mechanisms in phishing lures. The company said it continued scanning and blocking malicious links associated with the campaign.
Check Point details redirect-cloaking in large-scale phishing campaign
Check Point Research reported that the e-signature phishing operation hid credential theft pages behind trusted services including Mimecast, Bitdefender, and Intercom by abusing URL rewriting and redirect features rather than exploiting vulnerabilities. The finding showed how attackers made malicious links appear trustworthy to bypass user suspicion and security controls.
Attackers send 40,000 e-signature phishing emails to 6,000 firms over two weeks
Over a two-week period, attackers distributed more than 40,000 phishing emails targeting over 6,000 organizations by impersonating document platforms such as SharePoint and DocuSign. The campaign focused on sectors including consulting, technology, real estate, healthcare, energy, education, and government across multiple continents.
Phishing campaign abuses NoteGPT to harvest Microsoft credentials
Cofense identified a phishing campaign in which emails spoofing a company General Counsel and using Microsoft OneDrive branding redirected victims to a NoteGPT-hosted page and then to a fake Microsoft login page to steal credentials. The campaign relied on the legitimacy of the NoteGPT platform and familiar Microsoft branding to reduce suspicion and evade defenses.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Exploiting Domain Spoofing and Complex Routing
Threat actors have intensified phishing operations by leveraging complex email routing techniques and exploiting domain misconfigurations to successfully spoof trusted brands. These campaigns manipulate email infrastructure weaknesses, allowing attackers to send convincing phishing emails that appear to originate from legitimate domains, thereby increasing the likelihood of user engagement and credential compromise. Security researchers have observed that such tactics are being used to bypass traditional email security controls, making detection and prevention more challenging for organizations. During the holiday season, attackers combined these advanced spoofing methods with social engineering, sending emails that mimic Docusign notifications and Christmas-themed documents to exploit user trust and seasonal distractions. Victims are redirected through multiple hosting platforms before landing on credential harvesting sites, and a secondary wave of attacks targets personal financial data through fake loan application forms. The campaigns demonstrate a sophisticated use of both technical and psychological tactics to maximize the impact on both corporate and individual targets.
Mar 21, 2026
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
Mar 21, 2026
Phishing Campaigns Exploiting Trusted Brands and Services
Threat actors have intensified their use of phishing campaigns by impersonating well-known brands and trusted online services to deceive victims and steal sensitive credentials. In one campaign identified by the Cofense Phishing Defense Center, attackers targeted individuals in social media and marketing roles by sending fake job application emails that appeared to originate from major companies such as Red Bull, Tesla, Google, and Ferrari. These emails used convincing language and branding, including up-to-date logos and tailored subdomains, to increase their legitimacy and lure recipients into clicking malicious links. The attackers further enhanced the credibility of their messages by spoofing the sender address to appear as if it came from a legitimate domain, such as Xero, which has been abused in previous phishing incidents. The phishing process often began with a CAPTCHA page to create a sense of security before redirecting victims to fraudulent login pages designed to harvest credentials. This approach demonstrates a sophisticated understanding of social engineering tactics and the value of resume and personal information in targeting specific job seekers. In a separate but similarly themed incident, a Malwarebytes employee was targeted by a phishing email that impersonated 1Password, a popular password manager. The email falsely claimed that the recipient's 1Password account had been compromised and urged immediate action, including changing the account password and enabling two-factor authentication. The message mimicked legitimate security alerts, referencing 1Password's Watchtower feature, but included subtle red flags such as a sender address not associated with 1Password and a malicious link disguised as a legitimate action button. The phishing link directed users to a typosquatted domain, onepass-word[.]com, rather than the official 1Password website. Interestingly, the email's 'Contact us' link routed through a legitimate support page but used a redirect service, further complicating detection. The use of Mandrillapp, a transactional email delivery service, added another layer of apparent legitimacy to the phishing attempt. Both campaigns highlight the increasing sophistication of phishing attacks, with threat actors leveraging trusted brands and services to bypass security filters and exploit user trust. The attackers' use of brand-specific subdomains, authentic-looking graphics, and familiar communication styles makes these phishing emails particularly convincing. By targeting individuals with tailored messages, such as job seekers or users of specific online services, the campaigns increase the likelihood of successful credential theft. The abuse of legitimate infrastructure, such as Xero's email services and Mandrillapp, demonstrates how attackers can exploit trusted platforms to evade detection. Security teams are advised to educate users about the signs of phishing, including checking sender addresses, scrutinizing URLs, and being wary of urgent requests for sensitive information. Organizations should also monitor for abuse of their brand in phishing campaigns and work with email providers to block malicious domains. The incidents underscore the need for robust email security solutions and ongoing vigilance against evolving social engineering tactics. As phishing campaigns continue to evolve, both individuals and organizations must remain alert to the latest techniques used by cybercriminals to compromise accounts and steal valuable data.
Mar 21, 2026