FROM Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA details how attackers first found an exposed Spring Boot Actuator endpoint, learned sensitive data from the /env and /configprops outputs, and used that reconnaissance to target a SharePoint service account.
The incident then progressed through plaintext secrets stored in a spreadsheet—including a client-secret for an internal Azure AD application—and culminated in an ROPC login that bypassed MFA, enabling token issuance from Azure AD and access to SharePoint Online via Microsoft Graph. Logs show the attacker exfiltrated SharePoint data after authenticating with the obtained credentials, with phase four describing site access, library enumeration, and file downloads.
The analysis notes that the threat actor achieved successful authentication using the internal _[REDACTED]-2024_ credentials and a SharePoint service account password from application[.]yml, highlighting risks from legacy OAuth 2.0 flows and password‑alone sign‑ins. Published on 18 March 2026, according to Trend Micro, the piece also points to TrendAI Vision One CREM as a valuable preventive tool for correlating identity, configuration, and cloud‑authentication exposures to reduce such credential abuse.