```html ``` ShareFile Has 86,000 Customers — Mostly Small Law, Accounting, and Medical Firms. They're Being Hit From Two Sides at Once, and Our Feed Already Has the Phishing Half.
top of page

ShareFile Has 86,000 Customers — Mostly Small Law, Accounting, and Medical Firms. They're Being Hit From Two Sides at Once, and Our Feed Already Has the Phishing Half.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 7 minutes ago
  • 4 min read

Earlier today we wrote about Progress telling ShareFile customers to physically power down their on-premises Storage Zone Controllers over a threat it would not name. The obvious next question is the one that decides how much this matters: who actually runs these things? Because a vulnerability's blast radius is not the CVSS score — it is the profile of the people holding the exposed box. And ShareFile's profile is a specific, soft one. We also went and checked our own brand-protection data, and found the other half of the attack already sitting in our feed.



Who runs ShareFile


When Progress bought ShareFile from Citrix in October 2024 for $875 million, it acquired more than 86,000 customers. The center of gravity of that base is not the Fortune 500. It is professional-services firms whose daily job is exchanging sensitive files with external clients: accounting firms, law firms, and financial-services shops, plus healthcare and insurance organizations that handle protected health information — ShareFile has run a dedicated HIPAA-oriented healthcare product for over a decade. Private equity and deal-driven firms use it for virtual data rooms and client portals. The heaviest industry concentrations are professional services, government, and utilities, and the typical customer skews small-to-mid — boutique firms and small businesses, not enterprises with a security operations center.


Now narrow it to the population that got the unplug order, because the advisory was scoped to on-premises Storage Zone Controllers, not the cloud majority. Choosing on-prem storage in 2026 is a deliberate act. You do it because your data is sensitive enough, or your compliance regime strict enough, that you did not want it in someone else's cloud. So the exposed set self-selects for the most data-sensitive, most regulated end of an already-sensitive base — and a thirty-lawyer firm's ShareFile appliance can hold every privileged document for every client the firm has ever had. Enormous concentrations of crown-jewel data, held by organizations with little or no dedicated security staff, on an internet-reachable file-transfer box. That is the softest possible shape, and it is the same shape that made MOVEit — also a Progress product — a year-long feast for the Cl0p extortion crew.



The other half is already in our feed


Here is the part we could check with our own data instead of guessing. ShareFile is not only a vulnerable server today. Its brand is a permanent phishing lure, because "you have a secure document waiting, log in to view it" is one of the oldest and most effective pretexts on the internet, and ShareFile's entire purpose is sending people exactly that kind of notification. So attackers impersonate it, and they have been for a long time.


We searched our own indicator feed for ShareFile-branded infrastructure and it is there, spanning from late 2025 through mid-2026 — a steady drip, not a spike. A phishing domain built to look like a document link, sharefilesdocument dot com. A credential-and-malware lure on auth-sharefile dot com, dressed up to look like a ShareFile sign-in page. A live phishing URL on login dot sharefiles dot email with a redirect chain behind it. A cluster of malware-serving hosts on the secure-files-themed e-scurefiles dot net. None of these needed a new CVE. They are the ambient, always-on half of the threat: harvest a professional-services firm's ShareFile credentials with a convincing fake login, and you do not need a remote-code-execution chain — you just log in.



Why the timing is the danger


Put the two halves together and the picture gets worse than either alone. Right now, ShareFile customers are being told to shut down servers, account access is being disabled by the vendor, and nobody has been told why. That is a state of maximum confusion for exactly the population least equipped to handle it — small firms whose "IT department" is one overworked person or an outside managed-service provider. Confusion is the phisher's oxygen. The predictable next move, and the one we would tell any of these firms to brace for, is a wave of emails that say something like "Action required: your ShareFile access has been suspended, click here to restore it." A user who just got a genuine, alarming, unexplained notice from their vendor is primed to click the fake one that follows.


So the guidance for a firm caught in this is two-handed. Follow the advisory and power the on-prem controllers down. But also, tell your people, today, that ShareFile is going to be weird for a while, that any email asking them to log in to fix their ShareFile access should be treated as hostile until verified through a channel that is not that email, and that the real remediation will never arrive as a link in an unexpected message.


Held to about ninety-five percent, because we cannot see every firm's inbox and the specific post-advisory lure has not landed in our feed yet as of this writing: the on-prem exposure is a known, scoped, act-now problem, and the brand-phishing exposure is a documented, ongoing one we can show you receipts for. The dangerous part is that a security event at the vendor and a phishing campaign against its customers do not have to be coordinated to compound each other. They just have to happen at the same time — and they are.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page