Protect yourself from file‑sharing phishing attacks

Lyle Docherty
Monday 6 April 2026

We have recently seen an increase in phishing emails that use genuine file‑sharing services such as SharePoint, Dropbox and OneDrive. Because these platforms are part of our everyday work, attackers see them as a useful way to disguise malicious links as something familiar and trustworthy.

This guidance is to help you stay aware of how these attacks work, not to discourage you from using these services.. They remain safe and essential. This guidance is in place to raise awareness of how attackers are adapting their methods, and small habits that help you stay secure.

Why attackers spoof file-sharing services 

Cyber criminals know that file‑sharing links look normal and are used every day. They also know that security tools may allow links from trusted platforms, and that people are more likely to click a link if it appears to come from a system the University uses.

This means attackers may send emails that look like they contain a document stored in a legitimate cloud service, but the link may take you to a malicious website instead.

Common signs of a spoof file‑sharing email

Even if an email looks like it comes from a familiar platform, check for the signs below.

1. Unexpected sharing notifications

If you were not expecting a document, or the subject seems unrelated to your work, pause before you click.

Attackers are now using real Microsoft accounts to share malicious files through SharePoint.
Emails like this will come from [email protected], so you cannot rely on spotting a fake sender address.

Instead, consider the context:

  • Were you expecting someone to share a file with you?
  • Does the filename or topic seem unusual for your role?
  • Is the sender someone you do not normally work with?

A legitimate sender address does not guarantee a safe document. Accounts can be compromised and legitimate services can be misused.

2. Pressure or urgency

Be cautious if the email uses phrases such as “view this immediately” or threats like “your account will be closed”.
Any mention of payroll in an unexpected context is a common red flag.

3. Links that do not match

Hover over the link (without clicking). The URL should match the platform you expect, for example:
https://companyname.sharepoint.com/…

If the link points somewhere unrelated, it is likely phishing.

4. Unusual login requests

If clicking a link takes you to a login page that does not look like the usual Microsoft sign‑in screen, stop straight away.

How to stay safe

You do not need to distrust every cloud link. Just take a moment to check before you click.

1. Pause for three seconds

A brief pause prevents most phishing attacks.

2. Verify the sender

If something feels unusual, ask the colleague or department directly before opening the file.

3. Use the app instead of the email link

Open SharePoint or OneDrive directly:
https://universityofstandrews907-my.sharepoint.com/
Sign in with your @st-andrews.ac.uk email address.

Check if the file appears in your “shared” list.
If it is genuine, it will show there.

4. Report anything suspicious

Use the Report phishing button or contact the IT security team.
You’re not inconveniencing us – it is always better to check.

In summary

Cloud‑based tools like SharePoint and OneDrive are safe and essential, but attackers are becoming more skilled at imitating them. A few simple checks will help protect you and the University.

Thank you for staying alert and helping keep our digital workspace secure.

Subscribe to the IT Services blog

Enter your email address to subscribe to this blog to receive notifications of new posts.

Cookie preferences