Shared Document Phishing Lure Harvesting Cloud Credentials

Between 10 and 13 April 2026, users at a law firm received phishing emails claiming a client had shared confidential files and were directed to https://secure-doc-viewer365.com/review, a spoofed Microsoft 365 login page that captured usernames, passwords, and active session cookies; victims were then redirected to a legitimate document-sharing site to reduce suspicion, and several compromised accounts later propagated internal phishing. Observed indicators include domain secure-doc-viewer365.com, URL path /review, a Microsoft 365 redirect flow, a Windows user agent string, and a forwarding rule to casefiles.review@proton-node.com, and the activity is consistent with credential harvesting for business email compromise.