Microsoft has identified a sophisticated multi-stage phishing campaign targeting energy sector organizations. Attackers abuse SharePoint file-sharing to deliver phishing payloads, steal credentials and session cookies through adversary-in-the-middle techniques, then create inbox rules to maintain persistence. The compromised accounts are used to send large-scale phishing emails to internal and external contacts. Password resets alone cannot stop these attacks; organizations must revoke active session cookies and remove malicious inbox rules. The campaign exemplifies the growing trend of abusing trusted platforms like SharePoint, Google Drive, and AWS to appear legitimate and evade detection.
Sort: