Microsoft warns that threat actors are abusing SharePoint links in a multi‑stage phishing campaign targeting energy organizations, using adversary‑in‑the‑middle (AiTM) techniques to capture Microsoft credentials. Attackers then performed business email compromise by taking over inboxes, hiding and deleting messages, and distributing further phishing URLs, requiring remediation that includes session revocation and verification of MFA settings. #SharePoint #MicrosoftEntra
Keypoints
- Threat actors deliver phishing payloads via SharePoint links to steal Microsoft credentials.
- Adversary‑in‑the‑middle (AiTM) techniques are used to hijack sign‑in sessions and bypass MFA.
- Compromised inboxes are manipulated with rules to mark messages as read and delete responses, enabling BEC and persistence.
- Attackers send mass phishing messages to recent contacts from the compromised account to expand the campaign.
- Mitigations include enforcing MFA, enabling conditional access in Microsoft Entra, revoking sessions, and using continuous access evaluation and endpoint/browser protections.
Read More: https://www.securityweek.com/phishers-abuse-sharepoint-in-new-campaign-targeting-energy-sector/