University of Hamburg - to research, to teach, to educate and form, to homepage
RRZ
Regional Computing
Center (RRZ)

Photo: UHH/RRZ/Mentz

ATTENTION: Misuse of compromised M365 accounts via shared documents on SharePoint Online

18 July 2025, by ServiceLine

In the last few days, UHH has received emails from SharePoint Online [no-reply@sharepointonline.com], which refer to a shared Word file with the name ‘Document [varying number]’. These emails presumably originate from compromised accounts of other M365 tenants. The currently known sub-domains of these tenants studentscurry-my.sharepoint[.]com and galileo0-my.sharepoint[.]com have been blocked for access from the UHH network. As these are standard M365 emails, they can only be recognised as fake emails by the discrepancy between the person/M365 organisation sending them and the descriptive text.

The documents are ostensibly shared by members of the UHH Executive University Board, although the details of the M365 organisations Universidad Galileo and students.curry.edu do not match.

Accessing the link does not represent a risk per se, as it is a standard OneDrive link. Before downloading the Word file, the recipient's email address must be entered, as these are personalised accesses for the respective mailbox owners. The code sent in another e-mail must then be entered in order to gain access to the document.

In this case, the Word file displayed or downloaded directly in the browser does not contain any malicious code, but only a link to access the shared document in addition to a Sharepoint logo.

Behind this link is a phishing page that refers to an allegedly required account validation and demands the entry of access data. The page has since been deleted by the form provider Weebly.com.


If you suspect or are certain that you have entered your access data on the site, then please change your password immediately via the original user management page at https://account.uni-hamburg.de/. Please always pay attention to the URL displayed in your browser.


We continue to ask for your Increased Attention when dealing with emails, links and documents from sources you do not know.

As a matter of principle, do not follow the links in such mails and do not enter your access data on unknown sites. Always make sure that the domain on which you enter your access data ends with uni-hamburg.de (before the first '/' in the address line).
Do not open any mail attachments that you are not expecting or whose sender is unknown to you. If necessary, ask the sender.

Please note the information in the news articles on phishing at https://www.uni-hamburg.de/newsroom/intern/2023/0117-phishing-welle.html and on the RRZ website https://www.rrz.uni-hamburg.de/services/sicherheit/email/phishing/phishing-erkennen.html.

If you suspect that you have been the victim of a phishing attack, please change your password immediately via the user administration at https://bv.uni-hamburg.de. Passwords can only be changed via this channel. If you have any questions, please contact the RRZ-ServiceLine.