Attackers exploit SharePoint for energy sector phishing campaigns

Unknown attackers are targeting multiple energy-sector organizations by exploiting Microsoft SharePoint file-sharing services. The campaign aims to harvest user credentials, take over corporate inboxes, and then distribute hundreds of phishing emails from compromised accounts to contacts both inside and outside these organizations, with further coverage provided by The Register.

The attackers likely initiated access using previously compromised email addresses, sending phishing emails containing a SharePoint URL disguised with subjects like "New Proposal - NDA," according to Microsoft. Users clicking the link were redirected to a fake authentication page, leading to credential theft. Once accounts were compromised, attackers created inbox rules to delete incoming emails and mark them as read. From these compromised inboxes, they sent out hundreds of new phishing emails to the victim's contacts, often targeting recent email threads. The attackers actively managed the compromised inboxes, deleting undeliverable messages and responding to inquiries about the phishing emails to maintain the illusion of legitimacy.

This campaign highlights sophisticated attack methods that bypass standard password resets by employing persistence mechanisms, such as tampering with multi-factor authentication (MFA). While MFA remains crucial, Microsoft recommends enabling conditional access policies and investing in anti-phishing products to mitigate such threats.

Source: The Register