Attackers hijack SharePoint to phish energy sector with 600-email blasts

A new wave of targeted phishing attacks is exploiting Microsoft SharePoint's trusted file-sharing services to compromise energy sector organizations. According to a recent Microsoft security report, attackers have successfully infiltrated multiple energy companies, harvested credentials, and used their compromised inboxes to launch further attacks.

How the Attack Works

The campaign begins with attackers using previously compromised email addresses to gain initial access to energy sector organizations. Once inside, they craft SharePoint URLs with subject lines like "New Proposal - NDA" that appear legitimate to unsuspecting recipients.

When targets click these SharePoint links, they're redirected to a credential harvesting website that mimics Microsoft's authentication page. This allows attackers to collect valid usernames and passwords for later use.

After harvesting credentials, attackers sign into compromised accounts from different IP addresses and immediately set up inbox rules to hide their activity. These rules automatically delete incoming emails and mark all messages as read, making it difficult for victims to detect the compromise.

From these compromised accounts, attackers send phishing emails to the victim's contacts. In one documented case, over 600 phishing emails were sent from a single compromised account. The attackers carefully target recipients based on recent email threads in the victim's inbox, increasing the likelihood that contacts will trust and click the malicious links.

Active Monitoring and Persistence

What makes this campaign particularly sophisticated is the attackers' active monitoring of compromised accounts. They delete out-of-office notifications and undeliverable message reports to maintain operational security. When recipients respond with questions about the legitimacy of the phishing emails, attackers reply directly to maintain the deception, then delete these conversations afterward.

If someone within the energy organization clicks a malicious SharePoint link, they're also targeted for credential theft and account takeover, creating a cascading effect throughout the organization.

Why Password Resets Aren't Enough

Microsoft warns that conventional remediation measures may not fully address this threat. Even after resetting passwords and revoking active sessions, attackers can establish persistence by tampering with multi-factor authentication (MFA) settings.

The attackers can add new MFA policies that send one-time passwords (OTP) to their own registered mobile numbers, allowing them to maintain access despite password changes. This "attacker-in-the-middle" approach means they can intercept and relay messages between parties, continuing to snoop on communications and steal sensitive data.

Recommended Defenses

Despite these sophisticated techniques, Microsoft emphasizes that MFA remains essential for stopping cyber threats and should be enabled across all accounts.

Organizations should also implement conditional access policies that evaluate sign-in requests using additional identity-driven signals:

• User and group membership verification
• IP location analysis
• Device status checks

When these signals trigger security alerts, suspicious sign-ins can be automatically denied.

Investing in anti-phishing products that scan incoming messages and visited websites provides another layer of defense against these attacks.

The energy sector remains a high-value target for cybercriminals due to its critical infrastructure role. This campaign demonstrates how attackers are increasingly leveraging trusted services like SharePoint rather than breaking through security perimeters directly.

Microsoft has not disclosed how many organizations were compromised or whether the attacks remain ongoing. The identity of the attackers also remains unknown.

*For more information about Microsoft SharePoint security, visit the official SharePoint documentation.

Learn more about Microsoft's security recommendations for protecting against phishing attacks.