Medium riskEmail Scams

SharePoint Phishing Scam

This scam sends a fake Microsoft SharePoint or OneDrive email saying a document has been shared with you, linking to a counterfeit Microsoft login page designed to steal your work email credentials. It is commonly aimed at businesses.

Quick verdict

Risk level

Medium risk

Scam type

File-sharing phishing scam

Main red flag

A 'document shared with you' email pushing you to sign in through a link to view it.

What to do first

Do not sign in through the email link. Open SharePoint or OneDrive directly from your usual bookmark or app instead.

What this scam usually looks like

Example message pattern

Example pattern — not a real report

Example pattern: 'A document "Q3 Invoice.xlsx" has been shared with you on SharePoint. Sign in to view the file before access expires: [suspicious link]'

This is a fictional, anonymised example used to illustrate the pattern. It is not a verified real message, and any names are used only to show how the scam typically reads.

Red flags to watch for

An unexpected file-share notice from someone you do not usually exchange documents with
A sign-in prompt that appears after clicking, asking for your work email and password
A link or login page address that is not a genuine Microsoft domain
Pressure that access will 'expire' or be removed unless you act quickly
Small wording or branding inconsistencies in the email or login page

What to do

Do not click the link or enter your credentials
Open SharePoint or OneDrive directly through your usual app or bookmark to check for any shared file
Verify with the supposed sender through a separate, known channel
Report the email to your IT or security team and delete it

If you already clicked or replied

Do not enter any more information on the page
Change your work email password immediately from a trusted device
Turn on or confirm multi-factor authentication on the account
Report it to your IT or security team so they can check for unauthorised access

What not to do

Do not enter your password on a page reached through the email link
Do not approve any unexpected sign-in or multi-factor prompt
Do not ignore it without telling your IT team

Similar scams

High risk Email

Microsoft Account Email Scam

This scam sends a fake Microsoft or Outlook email about an unusual sign-in or an account about to be closed, linking to a fake Microsoft login page that captures your email and password.

Medium risk Email

Google Docs Sharing Scam

This scam sends an email saying someone shared a Google Doc or file with you, with an 'Open' link that leads to a fake Google login page or asks you to grant risky account permissions, aiming to capture your password or access your account.

Medium risk Email

Dropbox Shared File Scam

This scam sends an email claiming someone shared a Dropbox file or folder with you. The 'View file' link leads to a fake login page designed to capture your email address and Dropbox or work password.

Frequently asked questions

How can I tell a real SharePoint share from a fake one?

Genuine shares appear when you open SharePoint or OneDrive directly. If a notice only works through an email link and asks you to log in again, it is worth treating with caution.

Why does the page ask me to log in again?

A convincing fake login page is how this scam captures your credentials. If you are already signed in to Microsoft, an unexpected request to log in again is a common warning sign.

Why are businesses targeted with this scam?

Work email logins can unlock company files, contacts and further attacks, so they are valuable to scammers. This is why SharePoint phishing is often aimed at staff at organisations.

I entered my password. What should I do?

Change your password right away from a trusted device, enable multi-factor authentication, and tell your IT or security team so they can review the account for unauthorised access.

Last reviewed: June 2026

Disclaimer: This page provides educational information only to help you recognise common scam patterns. It is not legal, financial, cybersecurity, or law enforcement advice, and it does not confirm whether any specific message, company, or person is genuine or fraudulent. When in doubt, contact the official organisation directly and report concerns to your local authorities.