Cyberattackers are increasingly targeting energy sector organizations by exploiting vulnerabilities in Microsoft SharePoint to steal credentials and deploy phishing campaigns. A recent report from Microsoft indicates that multiple large organizations in the energy sector have been affected by this method.
Attack Methodology
The attack begins with cybercriminals sending legitimate-looking emails containing SharePoint links to previously compromised email accounts. When recipients click these links, they are redirected to credential-harvesting websites designed to steal login information. Once attackers gain access to corporate email accounts, they establish persistence by creating inbox rules to delete incoming messages and mark emails as read. They then send large volumes of phishing emails to both internal and external contacts, including distribution lists, while monitoring inboxes to delete undeliverable messages and respond to inquiries, maintaining the appearance of legitimacy.
Challenges in Remediation
Microsoft emphasizes that simply resetting passwords is insufficient, as attackers can tamper with multi-factor authentication (MFA) settings to maintain access. For instance, they can add new MFA policies to sign in with one-time passwords sent to the attacker's registered mobile number. To effectively mitigate such threats, Microsoft recommends implementing conditional access policies that can trigger alarms under specific conditions.
Recommendations for Organizations
Organizations are advised to strengthen their defenses by enabling phishing-resistant MFA, applying conditional access policies, and regularly monitoring for unusual activities. Prompt patching of known vulnerabilities and maintaining robust incident response plans are also crucial in defending against such sophisticated attacks.