- Hackers are exploiting SharePoint emails to steal credentials from major energy companies
- Attackers establish persistence with inbox rules and MFA manipulation to maintain access
- Microsoft advises conditional access and phishing-resistant MFA policies for defense
Hackers are again using SharePoint to target large energy companies, steal employee email credentials and further propagate the attack.
This is according to a new report from Microsoft, which claims that “several” large organizations in the energy sector were already targeted.
The attack starts from a previously compromised email account. The scammers use it for initial contact and send a legitimate-looking email with a SharePoint link. When clicked, the link redirects victims to a website where they are asked to log in.
What to do to be safe
Victims who try to log in actually share their credentials with the attackers, who gain access to real corporate email accounts and access them from a different IP address. Then they take a few steps to establish persistence while hiding from the victims.
These steps include creating an inbox rule to delete incoming messages and marking emails as read.
In the final step, the attackers send large volumes of new phishing emails to both internal and external contacts and distribution lists. Inboxes are monitored, delivery errors and OOO emails are deleted, and to maintain the appearance of legitimacy, replies are read and questions answered.
Microsoft did not share the details of the campaign and its success. We do not know the exact number of organizations targeted or how many people have had their inboxes compromised as a result.
The company stressed that for those compromised, simply resetting the password will not be sufficient, as the crooks created rules and changed settings that enable persistence even when ousted.
“Even if the compromised user’s password is reset and sessions are revoked, the attacker can configure persistence methods to log in in a controlled manner by tampering with MFA,” Microsoft warns.
“For example, the attacker can add a new MFA policy to log in with a one-time password (OTP) sent to the attacker’s registered mobile number. With these persistence mechanisms in place, the attacker can gain control of the victim’s account despite conventional mitigation measures.”
In addition to MFA, Microsoft also proposed Conditional Access policies that can trigger alerts if certain conditions are met.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
