Description
This article describes a new phishing trend abusing Microsoft SharePoint access approval requests. Instead of using traditional malicious links, attackers send emails that appear to be legitimate SharePoint or Microsoft 365 notifications, prompting users to approve or open a file they were not expecting, including:
- Fake SharePoint or OneDrive access approval requests
- Requests to “Approve,” “Review,” or “Open” unexpected documents
- Messages using generic or urgent file names (e.g., Payroll Update, Secure Document, Faculty Review)
Because these messages come from trusted platforms and may not contain obvious external URLs, users are more likely to click.
More information is provided below on how to recognize this type of phishing and what actions to take.
Applicable to:
- Administrative Staff
- Support Staff
- Faculty
- Student Employees
- Campus Distributed IT Staff
Campuses / Units:
- CSU Fort Collins
- CSU Pueblo
- CSU System
How This Phishing Works
Attackers misuse Microsoft 365 collaboration features to make phishing emails appear legitimate.
These messages may:
- Appear to come from Microsoft, SharePoint, or OneDrive
- Ask you to approve or access a file you did not request
- Use familiar CSU or higher‑education language
- Create urgency or imply action is required
Clicking these requests may lead to credential theft, account compromise, or unauthorized access to CSU systems.
What to Look For Before Approving Access
Before clicking Approve, Open, or View, consider:
- Do I recognize the sender?
- Was I expecting a SharePoint file or access request?
- Does this request make sense for my role or current work?
Red flags include:
- Unexpected access requests
- Generic or vague file names
- Urgent or threatening language
- Requests from unknown or external users
The following is an example of a SharePoint message.
What To Do
Resources
Related Articles