Over the past week we’ve watched a phishing campaign tear through Sydney’s Christian church networks. It’s clever, it’s working, and your email filter won’t stop it. Here’s why, and what to do.

The mechanic

An attacker compromises one Microsoft 365 mailbox — usually because someone earlier in the chain fell for a phishing email and handed over their password. Once they’re in, they use the tenant’s own SharePoint and OneDrive to send “shared a file with you” notifications to every contact in the address book.

The notifications come from Microsoft. They pass SPF, DKIM, and DMARC. They look identical to legitimate file shares because they are legitimate file shares. The shared “document” is a link to a credential-harvest page dressed up as OneDrive. Anyone who logs in to view the document hands over their own Microsoft 365 password. Then the attacker repeats the cycle from the newly compromised account.

What makes this campaign especially nasty is the post-compromise activity. Once the attacker is in your mailbox, they add Outlook inbox rules that:

• Move replies and bounce messages to “RSS Feeds”, Archive, or Deleted Items so you never see them.
• Forward copies of inbound mail to an external address.
• Mark specific messages as already read.

We’ve also seen attackers wait days before sending the next round of phish from a freshly compromised account. The delay defeats most “unusual sending pattern” detection — by the time the bait emails go out, the sign-in looks routine.

Why Christian church networks have been hit so hard

Sydney’s church networks share something most attackers love: trust. People know each other across denominations, sit on each other’s boards, and forward each other’s emails without a second thought. The trust network is exactly what propagates the phish.

Add the fact that many churches run Microsoft 365 (often via Microsoft’s nonprofit licensing) and rely on volunteer or part-time IT, and you’ve got a target-rich environment. The Presbyterian Church of NSW’s general office sent a warning to all ministers and gospel workers this morning, and other denominations are dealing with it too. We’ve seen the affects of this in Presbyterian, Baptist, Anglican and Interdenominational organisations.

But this isn’t a church problem. The same technique is hitting SMBs, professional services firms, and not-for-profits across Sydney. Anyone who uses Microsoft 365 and has a healthy contact list is exposed.

What it looks like

Two visual indicators will save you.

First, check the file name. A bookkeeper sharing “Q3 reconciliation” makes sense. The same bookkeeper sharing “Important Document” or a file named after a different organisation does not. If the file name doesn’t match what you’d expect from that sender, stop.

Second, hover the link before you click. Real Microsoft sharing links go to your own tenant or to a *.sharepoint.com or *.onedrive.com address. The fake versions land on lookalike domains, sometimes hiding the destination behind a # fragment. If your phone hides the URL on hover (most do), open the email on a desktop before clicking anything. If you have clicked on the link, you may see a document looking like this:

If you’ve reached this stage, you should assume you’ve already been compromised. Don’t wait to see what happens.

What to do if you’ve been hit

In order:

1. Change your Microsoft 365 password. Make it strong and unique. Don’t reuse it from anywhere else.
2. Sign out of every device. In Outlook on the web: profile picture → “Sign out”. On myaccount.microsoft.com, “Sign out everywhere”. This forces token revocation, including the tokens the attacker is using right now.
3. Check your Outlook inbox rules. Settings → Mail → Rules. Delete anything you didn’t create, especially anything moving mail to Deleted Items, Archive, RSS Feeds, or Junk.
4. Check your mail forwarding. Settings → Mail → Forwarding. If forwarding is on and it’s not you, turn it off.
5. Tell your IT team. If you’re an RWTS client, call us on 1300 798 718.

If you’re the IT person, the tenant-level work goes much further than that user-level checklist. You’ll need a mailbox rule audit across every account, a SharePoint sharing audit for whatever the compromised user shared in the last fortnight, an audit-log review for risky sign-ins, a forced password reset for everyone who clicked, and a compliance search to purge the bait emails from every recipient’s mailbox before more people click them.

We’ve published a (first draft) of our response guide here.

What stops it happening again

Three things work, in this order.

MFA on every account. Not just admins. Every account. The attackers aren’t typing passwords any more — they’re stealing session tokens through the fake OneDrive page. MFA breaks that flow when it’s enforced at sign-in. If you only do one thing after reading this, do this.

Conditional Access that blocks legacy authentication. Legacy protocols like IMAP, POP, and Basic Auth on Exchange bypass MFA entirely. Block them. While you’re there, add a policy that blocks or challenges sign-ins from countries you don’t operate in.

Continuous identity threat detection. Email filters can’t catch this because the email is legitimate — it’s a real sharing notification from a real account. What you need is a layer watching the identity itself: sign-in patterns, new inbox rules being created, mailbox forwarding changes, unusual mail flow. We deploy Huntress Identity Threat Detection & Response on Microsoft 365 tenants for exactly this. It catches the post-compromise behaviour in minutes instead of weeks.

We can help

If your church, charity, or business runs on Microsoft 365 and you’re worried, call us. We’ll audit your tenant for the indicators this campaign leaves behind, lock down conditional access and MFA, and deploy continuous monitoring if you want it.

Call 1300 798 718 or email support@rwts.com.au.

We’ve been doing this for 25 years, and we’re always delighted to help.