Unknown attackers abused Microsoft SharePoint file-sharing links to phish credentials and take over corporate email accounts at multiple energy-sector organizations, then used those accounts to send hundreds of phishing messages to internal and external contacts. Attackers created inbox rules, deleted evidence, and could persist by tampering with MFA and access controls, so Microsoft recommends MFA, conditional access policies, and anti-phishing defenses. #SharePoint #EnergySector
Keypoints
- Attackers leveraged SharePoint URLs requiring authentication to collect valid user credentials.
- Initial access likely came from previously compromised email addresses used against multiple energy organizations.
- Compromised accounts were used to send hundreds of phishing emails and to create inbox rules that hid evidence.
- Attackers monitored responses, deleted out-of-office and undeliverable messages, and replied to validate phishing legitimacy.
- Microsoft advises enabling MFA, conditional access policies, and anti-phishing tools because password resets alone may not remove attacker persistence.
Read More: https://www.theregister.com/2026/01/22/crims_compromised_energy_firms_microsoft/