- Hackers exploit SharePoint emails to steal credentials from big energy companies
- Attackers establish persistence with inbox rules and MFA manipulation to maintain access
- Microsoft recommends phishing-resistant MFA and conditional access policies for defense
Hackers are once again using SharePoint to attack large energy companies, stealing employee email credentials and further spreading the attack.
This is according to a new report from Microsoft, which claims that “multiple” large organizations in the energy sector have already been attacked.
The attack starts from a previously compromised email account. Criminals use it for initial contact, sending a seemingly legitimate email with a SharePoint link. Upon clicking, the link redirects victims to a credential harvesting website, where they are prompted to log in.
What to do to stay safe
Victims who attempt to log in actually share their credentials with attackers, who gain access to real corporate email accounts and access them from a different IP address. After that, they take some measures to achieve perseverance while hiding from the victims.
Those steps include creating an inbox rule to delete incoming messages and marking emails as read.
In the final step, attackers send large volumes of new phishing emails to internal and external contacts, as well as distribution lists. Inboxes are monitored, delivery failure and OOO emails are deleted, and to maintain the appearance of legitimacy, responses are read and questions answered.
Microsoft did not share details about the campaign and its success. We don’t know the exact number of organizations attacked or how many people had their inboxes compromised as a result.
The company emphasized that for those who are compromised, simply resetting the password will not be enough, as the criminals have created rules and changed settings that allow persistence even when they are removed.
“Even if the compromised user’s password is reset and sessions revoked, the attacker can configure persistence methods to log in in a controlled manner by manipulating MFA,” Microsoft warns.
“For example, the attacker can add a new MFA policy to log in with a one-time password (OTP) sent to the attacker’s registered mobile number. With these persistence mechanisms in place, the attacker can gain control over the victim’s account despite conventional remediation measures.”
In addition to MFA, Microsoft also suggested conditional access policies that can trigger alarms if certain conditions are met.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
