Threat actors have been abusing SharePoint for payload delivery in a new phishing campaign targeting energy organizations, Microsoft warns.
One multi‑stage attack analyzed by Microsoft started with adversary‑in‑the‑middle (AitM) phishing, where the victim received an email from the compromised account of a trusted organization.
The message featured a document‑sharing workflow theme and included a SharePoint URL that directed the victim to a landing page prompting them for their Microsoft credentials.
Next, the attackers set up for business email compromise (BEC), accessing the compromised inbox and creating rules to mark all messages as read and delete incoming emails. They then sent over 600 phishing emails to the victim’s contacts, with another phishing URL.
“The recipients were identified based on the recent email threads in the compromised user’s inbox,” Microsoft explains.
The attackers monitored the compromised account, deleting undelivered and out-of-office responses, as well as messages from recipients who questioned the authenticity of the phishing emails.
“The emails and responses were then deleted from the mailbox. These techniques are common in any BEC attacks and are intended to keep the victim unaware of the attacker’s operations, thus helping in persistence,” Microsoft explains.
The attackers mounted another AitM attack against the recipients from within the organization who clicked on the phishing URL, the company notes.
To protect themselves from such attacks, organizations are advised to implement multi-factor authentication (MFA) and enable conditional access policies in Microsoft Entra.
However, because AitM attacks result in the compromise of sign-in sessions, remediation requires not only resetting the compromised users’ passwords but also revoking the sessions and verifying that MFA has not been tampered with.
“While AiTM phishing attempts to circumvent MFA, implementation of MFA remains an essential pillar in identity security and highly effective at stopping a wide variety of threats. MFA is the reason that threat actors developed the AiTM session cookie theft technique in the first place,” Microsoft notes.
Implementing continuous access evaluation, passwordless sign-in, enabling networking protection in endpoint security solutions, implementing security solutions on mobile devices, and using browsers that automatically identify and block malicious websites also help mitigate the risk associated with these attacks.
Related: LastPass Users Targeted With Backup-Themed Phishing Emails
Related: FBI: North Korean Spear-Phishing Attacks Use Malicious QR Codes
Related: Complex Routing, Misconfigurations Exploited for Domain Spoofing in Phishing Attacks
Related: AI Is Supercharging Phishing: Here’s How to Fight Back
