- Hackers exploit SharePoint emails to steal credentials from large energy firms
- Attackers establish persistence with inbox rules and MFA tampering to maintain access
- Microsoft advises conditional access policies and phishing-resistant MFA for defense
Hackers are, once again, using SharePoint to target large energy firms, steal employee email credentials, and propagate the attack further.
This is according to a new report from Microsoft, which claims “multiple” large organizations in the energy sector were already targeted.
The attack starts from a previously compromised email account. The crooks use it for initial contact, sending a legitimate-looking email with a SharePoint link. When clicked, the link redirects the victims to a credential-harvesting website, where they are prompted to log in.
What to do to stay safe
Victims that try to log in actually share their credentials with the attackers, who gain access to real corporate email accounts, and access them from a different IP address. After that, they take a few steps to establish persistence while hiding from the victims.
Those steps include creating an inbox rule to delete incoming messages, and marking emails as read.
In the final step, the attackers send large volumes of new phishing emails to both internal and external contacts, as well as distribution lists. The inboxes are monitored, delivery failure and OOO emails are deleted and, in order to maintain the appearance of legitimacy, responses are read and questions are answered.
Microsoft did not share the details about the campaign and its success. We don’t know the exact number of organizations targeted, or how many people had their inboxes compromised as a result.
The company did stress that for those that are compromised, simply resetting the password will not suffice, since the crooks created rules and changed settings that enable persistence even when they are ousted.
"Even if the compromised user's password is reset and sessions are revoked, the attacker can set up persistence methods to sign-in in a controlled manner by tampering with MFA," Microsoft warns.
"For instance, the attacker can add a new MFA policy to sign in with a one-time password (OTP) sent to the attacker's registered mobile number. With these persistence mechanisms in place, the attacker can have control over the victim's account despite conventional remediation measures."
Besides MFA, Microsoft also suggested conditional access policies that can trigger alarms if certain conditions are met.
Via The Register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Source: TechRadar
