PHISHERS are abusing SharePoint for payload delivery in a new phishing campaign aimed at energy organisations, according to Microsoft. The multi‑stage operation begins with adversary‑in‑the‑middle phishing, where an email from a compromised trusted account leads victims to a SharePoint‑hosted landing page asking for Microsoft credentials.
The attackers then pivot to business email compromise, accessing the inbox, creating rules to mark messages as read and delete incoming emails, and sending more than 600 phishing emails to the original contact list, with another phishing URL. The campaign’s progression involved an additional AiTM‑style attack against recipients who clicked the phishing link, with the attackers monitoring and deleting undelivered or questioned responses to keep their activity hidden.
To help mitigate such schemes, organisations are urged to enable multi‑factor authentication and apply conditional access policies in Microsoft Entra, while remediation may require resetting passwords, revoking sessions, and ensuring MFA has not been bypassed. The piece underscores MFA’s ongoing value against a range of credential‑theft techniques.