Phishers Abuse SharePoint in New Campaign Targeting Energy Sector

Threat actors have been abusing SharePoint for payload delivery in a new phishing campaign targeting energy organizations, Microsoft warns.

One multi‑stage attack analyzed by Microsoft started with adversary‑in‑the‑middle (AitM) phishing, where the victim received an email from the compromised account of a trusted organization.

The message featured a document‑sharing workflow theme and included a SharePoint URL that directed the victim to a landing page prompting them for their Microsoft credentials.

Next, the attackers set up for business email compromise (BEC), accessing the compromised inbox and creating rules to mark all messages as read and delete incoming emails. They then sent over 600 phishing emails to the victim’s contacts, with another phishing URL.

“The recipients were identified based on the recent email threads in the compromised user’s inbox,” Microsoft explains.

The attackers monitored the compromised account, deleting undelivered and out-of-office responses, as well as ...