What's Happening?
Microsoft has identified a new phishing campaign targeting energy organizations, where threat actors are abusing SharePoint for payload delivery. The attack begins with an adversary-in-the-middle (AitM) phishing technique, where victims receive emails
from compromised accounts of trusted organizations. These emails contain a SharePoint URL that directs victims to a landing page prompting them for their Microsoft credentials. Once the attackers gain access, they set up business email compromise (BEC) by creating rules to mark all messages as read and delete incoming emails. Over 600 phishing emails are then sent to the victim's contacts, further spreading the attack. The attackers monitor the compromised account, deleting undelivered and out-of-office responses to maintain persistence and avoid detection.
Why It's Important?
This campaign highlights the evolving tactics of cybercriminals targeting critical sectors like energy, which can have significant implications for national security and economic stability. The use of SharePoint, a widely trusted platform, increases the likelihood of successful phishing attempts, as recipients may not suspect malicious intent. The attack underscores the importance of robust cybersecurity measures, such as multi-factor authentication (MFA) and conditional access policies, to protect sensitive data and maintain operational continuity. Organizations in the energy sector and beyond must remain vigilant and proactive in their cybersecurity strategies to mitigate such threats.
What's Next?
Organizations are advised to implement continuous access evaluation, passwordless sign-in, and enable network protection in endpoint security solutions to mitigate risks. Additionally, using browsers that automatically identify and block malicious websites can help prevent similar attacks. As cyber threats continue to evolve, companies must regularly update their security protocols and educate employees on recognizing phishing attempts. The energy sector, in particular, may see increased collaboration with cybersecurity firms and government agencies to enhance defenses against such sophisticated attacks.
