Cofense has a post about a threat where an attack has been seen in email phishing attempts in which a user receives an email that shows a sharepoint site. After this one possibility is:
The embedded URL in the email body delivers the recipient to a compromised SharePoint site where a malicious OneNote document is served. The document is illegible and invites the recipient to download it by clicking on yet another embedded URL, which leads to the main credential phishing page.
Cofense
We definitely suggest reading Cofense’s full post to get an in-depth view, though we will end with their explanation on how this attack gets pass security measures, ” SharePoint, the initial delivery mechanism…allow[s] the threat actor to circumvent just about any email perimeter technology.
cybersqueeze 