The attackers likely initiated access using previously compromised email addresses, sending phishing emails containing a SharePoint URL disguised with subjects like "New Proposal - NDA," according to Microsoft.
Afghan ministry and administrative office workers have been targeted with malware-spreading phishing emails purporting to be from the office of the country's prime minister as part of the Nomad Leopard campaign, according to The Record, a news site by cybersecurity firm Recorded Future.