Microsoft SharePoint Server Spoofing Vulnerability — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 26, 2026

Severity: MEDIUM | View Full Scam Details

Beware the 2026 Microsoft SharePoint Server Spoofing Scam Targeting Indian Organizations

Cybercriminals are exploiting Microsoft SharePoint Server vulnerabilities to trick Indian employees into sharing sensitive data, risking financial loss and data breaches.

What Is the Microsoft SharePoint Server Spoofing Vulnerability?

The Microsoft SharePoint Server Spoofing Vulnerability (identified as CVE-2026-32201) is a medium-severity security flaw that fraudsters in India and worldwide are increasingly abusing. SharePoint is a popular collaboration and document management platform used by thousands of Indian companies, government agencies, and educational institutions. This vulnerability allows attackers to create counterfeit SharePoint pages or interfaces that look like genuine, trusted internal sites.

Because many Indian organizations use SharePoint for internal communication, document sharing, and workflow automation, the scam specifically targets employees who trust the platform’s authenticity. Scammers exploit this trust to send fake messages or notifications that appear to come from known colleagues or official company channels. This makes it easier to trick victims into divulging login credentials, confidential financial details, or even authorizing fraudulent UPI transactions.

Indian cybercrime agencies like CERT-In and the Indian Cyber Crime Coordination Centre (I4C) have issued alerts about phishing scams exploiting widely used software like SharePoint. The Reserve Bank of India (RBI) also warns corporates about the rising threat of business email compromise (BEC) attacks leveraging such vulnerabilities to initiate fraudulent fund transfers. As remote work and digital collaboration grow in India, this spoofing vulnerability is becoming a significant vector for cybercrime.

How This Scam Works — Step by Step

1. Initial Reconnaissance: Scammers first research the target organization’s structure and who uses SharePoint internally. They may harvest email addresses and contact details from online sources or social media like LinkedIn.

2. Creating a Fake SharePoint Interface: Using the spoofing vulnerability, fraudsters build a fake SharePoint login page or dashboard that looks exactly like the real company site.

3. Phishing Email or Message: The victim receives an email or a Teams/WhatsApp message that appears to come from an internal stakeholder or trusted customer. The message might say: “Please review the updated invoice on the SharePoint portal” or “Urgent: Verify your account to continue accessing documents.”

4. Victim Clicks the Link: The fake message contains a link directing the victim to the counterfeit SharePoint page. Because the page is a near-perfect copy, victims willingly enter their login credentials.

5. Credential Capture and Misuse: Once credentials are entered, scammers grab this data in real-time. They may use these details to log into the company’s real SharePoint account or related services.

6. Exfiltration or Fraud: The attacker can now browse sensitive company documents or send legitimate-looking messages to other employees or vendors. They may also initiate fraudulent UPI payments by masquerading as senior employees requesting urgent money transfers.

7. Financial Loss and Data Theft: Ultimately, victims suffer monetary losses, data leaks, or reputational damage.

Real Warning Signs to Watch For

• Unexpected SharePoint links in emails or WhatsApp messages—especially if they urge quick action.
• Messages claiming to be urgent from seniors or customers but containing poor spelling or grammar.
• Logins requested from outside regular working hours or from unknown devices.
• Emails with mismatched sender addresses that nearly mimic official company domains.
• Unusual requests for sensitive information, like passwords or financial details, via internal communication tools.
• Inconsistencies in the SharePoint page URL or unusual subdomains.
• Sudden lockouts or notifications of password changes you did not initiate.

What Happens to Victims

When Indian employees fall for such scams, repercussions can be severe. Financial frauds may involve fraudulent UPI transactions where money is siphoned off to unknown accounts, often without easy reversal due to delayed detection. Internal company data, including contracts, payroll, or customer information, may be stolen and misused, risking compliance violations under IT Act and personal data protection laws in India.

On the personal side, victims often face stress, guilt, and loss of trust from management. Aadhaar data or personal credentials obtained in the breach could enable further identity theft scams, SIM swap frauds, or unauthorized financial activities. The emotional toll from such events is significant, and recovering from the aftermath requires swift and coordinated action.

What RBI and CERT-In Say

The Reserve Bank of India has repeatedly warned corporate and retail users to stay vigilant against phishing and business email compromise scams that exploit software vulnerabilities. Although RBI’s guidelines primarily focus on banking and payment system security, they emphasize strong multi-factor authentication and employee awareness in preventing frauds.

CERT-In, India’s national cybersecurity agency, issues advisories encouraging organizations to patch SharePoint Server vulnerabilities immediately. They also recommend continuous user training on recognizing phishing attempts, proper configuration of internal digital tools, and reporting all suspicious incidents promptly.

If you suspect a cyber fraud, CERT-In’s Indian Cyber Crime Coordination Centre (I4C) helpline (dial 1930) can be contacted for assistance, while RBI’s customer helpline can assist with bank-related frauds.

How to Protect Yourself

1. Verify Links Carefully: Always hover over SharePoint links to check domain authenticity before clicking.
2. Use Official Apps and Access Points: Avoid logging into SharePoint through unexpected emails or messages; use company intranet or verified bookmarks.
3. Enable Multi-Factor Authentication (MFA): Add layers of security on SharePoint and all corporate accounts.
4. Keep Software Updated: Ensure your organization applies Microsoft patches and updates SharePoint Server regularly to fix vulnerabilities.
5. Be Skeptical of Urgent Requests: Double-check with the sender via a call or a separate message before sharing credentials or transferring money.
6. Report Suspicious Activity: Immediately notify your IT or cybersecurity team about any unusual SharePoint messages.
7. Educate Yourself and Team: Participate in regular cyber awareness sessions to recognize phishing tactics.

What to Do If You've Been Targeted

1. Do Not Panic: Act immediately but calmly to contain damage.
2. Change Passwords: Update your SharePoint, work email, and related service passwords using strong, unique combinations.
3. Alert Your IT Department: Inform your company’s cybersecurity or IT team right away to block compromised accounts.
4. Contact Your Bank: If a UPI or bank transaction is involved, report the fraud to your bank’s fraud helpline for possible reversal.
5. File a Complaint: Register the incident with the National Cyber Crime Reporting Portal at cybercrime.gov.in.
6. Call the 1930 Cybercrime Helpline: They provide guidance tailored to Indian victims.
7. Monitor Financial Transactions: Regularly check your bank and UPI apps for any unauthorized activities.

Frequently Asked Questions

Q1: How can I tell if a SharePoint link is fake?
Look for subtle differences in the URL such as misspellings, added characters, or unusual domains. Genuine Microsoft SharePoint URLs usually follow a consistent corporate domain pattern. If in doubt, access SharePoint only via official channels.

Q2: Can RBI reverse money lost through a SharePoint phishing scam?
Reversal depends on the timing of the report and the nature of the transaction. RBI urges customers to notify their banks immediately, but prevention and fast reporting are key. Delays can reduce chances of successful recovery.

Q3: Does using multi-factor authentication make SharePoint spoofing scams ineffective?
MFA significantly reduces risk by requiring additional verification beyond passwords. Even if scammers get your credentials, they cannot access your account without the second factor, making it a vital security measure.

Stay alert and protect yourself against digital frauds! If you receive suspicious messages related to SharePoint or any other platform, verify their authenticity at BharatSecure.app before clicking or sharing information. Your vigilance keeps India’s digital space safer.