Hackers have been using SharePoint to target multiple energy companies. This time, the attackers snatched employee credentials and hijacked email accounts to spread phishing attacks.
Microsoft Defender researchers uncovered a malicious campaign where hackers used adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication entirely. The attack started with an already compromised company account, which was used to gain access to other emails and credentials inside the targeted organization.
Hackers used the "ground zero" account to send phishing emails disguised as legitimate SharePoint document-sharing notifications. When victims clicked the links inside the malicious email, it redirected them to a decoy website, which prompted them to log in and collected their passwords and session cookies.
Once inside multiple legitimate accounts, the attackers set up inbox rules to auto-delete incoming emails and mark everything as read to keep the victims completely in the dark.
The final phase of this “campaign” involved sending off 600 phishing emails to the victim"s contacts, both inside and outside affected organizations.
The hackers also kept a close eye on compromised mailboxes. They deleted bounce-back notifications and out-of-office replies to stay hidden. When recipients got suspicious and asked about the emails, the attackers jumped in, reassured them everything was fine, then wiped the conversation.
Microsoft addressed this case in an official statement and advised organizations to revoke session cookies, remove the inbox rules attackers created, and check for unauthorized MFA changes, as simple password resets wouldn’t help in this case.
The full scope of this campaign is unknown. The Register asked Microsoft for more details, like how many organizations were affected and if Redmond has any idea who might be behind the attack. Microsoft declined to answer the question.
If you work inside an organization that could be a potential target for similar attacks, make sure to double-check any SharePoint notifications before clicking on them and reevaluate your security protocols.
Image via Depositphotos.com