- Hackers exploit SharePoint emails to steal credentials from major energy companies
- Attackers establish persistence with inbox rules and MFA forgery to maintain access.
- Microsoft advises conditional access policies and phishing-resistant MFA for defense
Hackers are once again using SharePoint to target large energy companies, steal employee email IDs and spread the attack.
That’s according to a new report from Microsoft, which claims that “several” large organizations in the energy sector were already targeted.
The attack starts from a previously compromised email account. Scammers use it for the first contact, sending a legitimate-looking email with a SharePoint link. When clicked, the link redirects victims to a credentials collection website, where they are asked to log in.
What to do to stay safe
Victims who attempt to log in are actually sharing their credentials with the attackers, who have access to real corporate email accounts and access them from a different IP address. After that, they take some steps to establish their perseverance while hiding from victims.
These steps include creating an inbox rule to delete incoming messages and marking emails as read.
In the final stage, attackers send large volumes of new phishing emails to internal and external contacts, as well as distribution lists. Inboxes are monitored, delivery failures and OOO emails are deleted, and in order to maintain the appearance of legitimacy, replies are read and questions answered.
Microsoft has not shared details of the campaign and its success. We do not know the exact number of organizations targeted, or how many people had their inboxes compromised.
The company stressed that for those who are compromised, a simple password reset won’t be enough, as scammers have created rules and changed settings that allow persistence even when ousted.
“Even if the compromised user’s password is reset and sessions revoked, the attacker can configure persistence methods to log in in a controlled manner by tampering with MFA,” Microsoft warns.
“For example, the attacker can add a new MFA policy to log in with a one-time password (OTP) sent to the attacker’s registered mobile number. With these persistence mechanisms in place, the attacker can control the victim’s account despite conventional remediation measures.
Besides MFA, Microsoft has also suggested conditional access policies that can trigger alarms if certain conditions are met.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
