The SharePoint Share That Passed Every Check: A Compromised M365 Tenant With DMARC Reject and Tokenized Links

A compromised Microsoft 365 tenant (packnfresh.com) was used to send authentic-looking SharePoint sharing notifications that passed SPF/DKIM/DMARC and resolved to legitimate Microsoft-hosted SharePoint links containing tokenized parameters; formatting anomalies and behavioral signals revealed the credential-harvesting phishing attempt, leading to quarantine of the mailbox and publication of IoCs and ATT&CK mappings.