Cybersecurity researchers have identified a significant escalation in phishing campaigns utilizing sophisticated domain spoofing techniques that mimic Microsoft SharePoint services.
The threat activity, which began intensifying on June 26, 2025, employs structured naming patterns and leverages legitimate hosting platforms to evade detection while harvesting corporate credentials through advanced proxy-based attacks.
Systematic Domain Generation Reveals Coordinated Campaign
The malicious domains follow a highly structured pattern that security analysts can use for threat hunting.
All identified domains utilize the .org top-level domain, with third-level components preceding “-mysharepoint” that contain 29-character strings, following a consistent formatting pattern.
Examples include domains like “9yusq7ngwdm365cj87v39gs5do8we-mysharepoint.tahofire[.]org” and “2yusq7ngwdm835cj87v63gs5do8we-mysharepoint.fencecorps[.]org.”
Researchers discovered that only numeric characters vary in specific positions within these strings, while the remainder stays constant.
The second-level domain names strategically mimic legitimate U.S.-based organizations, including references to tahoelivingwithfire.com, fencecorp.us, and laborers155.org, adding credibility to the malicious infrastructure.
Security teams can implement threat hunting using TI Lookup queries such as “domainName:’-mysharepoint..org'” to identify similar campaigns. This approach has already uncovered over 40 matching analysis sessions since the campaign’s inception.
Alboompro Platform Exploitation Amplifies Threat Landscape
Threat actors have increasingly weaponized Alboompro.com, a legitimate service for creating portfolios and landing pages, to host initial phishing content.
Since May 2025, more than 250 tasks involving Alboompro domains have been identified, with over 130 malicious subdomains recorded.
The attack chain typically begins with phishing emails containing links to Alboompro subdomains that impersonate legitimate companies.
Victims are directed to fraudulent PDF documents that require email verification, which then redirect them to fake SharePoint domains for credential harvesting.
Sneaky2FA Technique Bypasses Traditional Security Measures
The campaign employs Sneaky2FA tactics, where victims interact with seemingly legitimate Microsoft login interfaces while attackers operate proxy servers that intercept credentials in real-time.
This technique loads authentic content directly from Microsoft’s official website through attacker-controlled infrastructure, making detection significantly more challenging.
After completing CAPTCHA challenges on the spoofed SharePoint domains, victims encounter login pages that appear identical to legitimate Microsoft interfaces.
This sophisticated approach allows threat actors to capture both primary credentials and multi-factor authentication tokens, effectively bypassing traditional security measures.
The coordinated nature of this campaign, combined with its technical sophistication and abuse of legitimate services, represents a significant evolution in phishing methodologies that requires enhanced monitoring and detection capabilities.
