Attackers host phishing websites on a sharepoint.com subdomain and redirect users to malicious websites. Alternatively, they can host malicious documents that can be downloaded.
Command and Control
None
Exfiltration
None
Download
Malicious tools can be stored on *.sharepoint.com and downloaded when required.