SharePoint temporary-access-code AiTM phishing chain — compromised-partner SharePoint sends a genuine "document shared with you" email (SPF/DKIM/DMARC pass), gating document access on a TOTP / one-time-passcode. The user receives the code, signs in, and lands on a second-stage AiTM credential-harvesting page. Distinguishing fingerprint: authentic Microsoft sender + TOTP gate + [External] origin marker + cold thread. Microsoft Jan 21 2026 disclosure + The Register + NCSC Switzerland; energy-sector targeting

Multi-stage phishing chain that starts with a compromised partner's SharePoint tenant. The attacker uses the compromised tenant to share a document with the target, which triggers a genuine "document shared with you" notification email from Microsoft infrastructure — SPF, DKIM, DMARC, and ARC all pass. The email requires a one-time passcode (TOTP) to open the document, which Microsoft sends to the target automatically. When the target enters the code and the document loads, the "document" is a second-stage adversary-in-the-middle (AiTM) phishing page that harvests the session cookie and downstream Microsoft 365 credentials. Microsoft's Threat Intelligence team published this attack pattern on January 21 2026; The Register + NCSC Switzerland + Paubox tracked follow-on coverage; energy-sector organizations were the primary target. The distinguishing fingerprint is the combination of authentic Microsoft sender + TOTP access gate + "[External]" or "outside your organization" banner in the body — a legitimate internal SharePoint share does not include the external banner, and a share from a trusted partner usually lives inside an existing mail thread.