Full Report
Logging in, not breaking in Unknown attackers are abusing Microsoft SharePoint file-sharing services to target multiple energy-sector organizations, harvest user credentials, take over corporate inboxes, and then send hundreds of phishing emails from compromised accounts to contacts inside and outside those organizations.…
Analysis Summary
# Incident Report: SharePoint Credential Harvesting & BEC via Energy Sector Phishing
## Executive Summary
Unknown attackers executed a multi-stage campaign targeting multiple energy-sector organizations by abusing Microsoft SharePoint file-sharing services. The attack chain involved initial phishing to harvest user credentials, subsequent account takeover, establishing persistence via inbox rule manipulation, and spreading subsequent phishing emails (over 600 in one instance) to the victim's contacts. The main outcome was credential compromise and the exploitation of trusted accounts for further malicious activity.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reporting was based on a Wednesday (January 21, 2026, based on the dateline) Microsoft report.
- **Incident Date:** Ongoing at the time of reporting (Jan 22, 2026).
- **Affected Organization:** Multiple energy-sector organizations.
- **Sector:** Energy.
- **Geography:** Not specified.
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-phishing phase; details of the initial compromise leading to the abuse are unclear, but the final attack chain begins with a phishing email.
- **Vector:** Credential Harvesting via Malicious SharePoint Link.
- **Details:** Attackers sent emails, possibly using previously compromised addresses, containing subject lines like "New Proposal - NDA" and a SharePoint URL requiring authentication. Victims clicking and entering credentials handed over valid usernames and passwords.
### Lateral Movement
- **Date/Time:** Subsequent to initial access.
- **Vector:** Signed in using harvested credentials from a different IP address.
- **Details:** Attackers logged into the target accounts. They then created an inbox rule to delete all incoming emails and mark all existing emails as read.
### Data Exfiltration/Impact
- **Date/Time:** During the active compromise phase.
- **Vector:** Secondary phishing campaign and monitoring.
- **Details:** Attackers sent hundreds of new phishing emails (one observed case involved 600+ emails) containing new phishing URLs to the victim's contacts (internal and external) based on recent email threads. The attacker monitored the inbox, reading and responding to external inquiries about the legitimacy of the phish, deleting all correspondence afterward.
### Detection & Response
- **Date/Time:** Undocumented, triggered by Microsoft threat intelligence.
- **Vector:** Microsoft threat intelligence detailed the intrusions.
- **Details:** Detection was based on analyzing the pattern of SharePoint abuse and subsequent anomalous inbox activity. Remediation guidance suggests password resets are insufficient due to persistence mechanisms.
## Attack Methodology
- **Initial Access:** Credential harvesting utilizing legitimate SharePoint file-sharing service links disguised in convincing emails (e.g., NDA related).
- **Persistence:** Creation of inbox rules to automatically delete incoming messages and mark existing messages as read, effectively hiding communication related to the ongoing attack. Warning notes that attackers might tamper with MFA settings (e.g., adding a new mobile number for OTP forwarding).
- **Privilege Escalation:** Not explicitly detailed beyond gaining access to a standard user account, but the ability to read/respond to emails implies full mailbox control.
- **Defense Evasion:** Deleting communications (undeliverable messages, responses) to conceal the active abuse from the victim and internal security teams.
- **Credential Access:** Phishing/Credential Harvesting against SharePoint authentication portal.
- **Discovery:** Identifying internal and external recipients based on recent email threads in the compromised inbox.
- **Lateral Movement:** Not explicitly detailed beyond the account takeover; movement appears focused on utilizing the single compromised mailbox for widespread secondary phishing.
- **Collection:** Reading email threads to identify viable targets for secondary phishing.
- **Exfiltration:** Not traditional data exfiltration, but rather the exfiltration/abuse of organizational trust via sending follow-up phishing emails.
- **Impact:** Disruption of normal business communication, reputational damage, and broad distribution of secondary phishing attacks.
## Impact Assessment
- **Financial:** Not specified, but likely involves costs associated with remediation and potential downstream fraud resulting from secondary phishing.
- **Data Breach:** In-scope email content (contacts, recent conversation topics) was exposed for targeting purposes. Credentials (username/password) were stolen.
- **Operational:** Disruption of email communication due to hidden messages and the need for security teams to investigate and remediate compromised accounts.
- **Reputational:** High, as the organization's trusted email accounts were used to target their contacts.
## Indicators of Compromise
- **Network Indicators (Defanged):** Access originating from unfamiliar IP addresses attempting to sign in to SharePoint services after initial credential submission.
- **File Indicators:** N/A (Focus on cloud service abuse rather than dropping files).
- **Behavioral Indicators:** Creation of inbox rules designed to hide incoming/outgoing communication, sudden large-scale sending of external emails from a specific mailbox, and unusual reading/deletion patterns in the inbox.
## Response Actions
- **Containment:** Password resets and session revocation (though noted as potentially insufficient).
- **Eradication:** Removing malicious inbox rules. (Note: Microsoft warns that securing MFA against attacker tampering is critical here).
- **Recovery:** Restoring normal email flow; validating account security, especially MFA configuration.
## Lessons Learned
- **Key Takeaways:** Attackers are effectively blending automation with social engineering by abusing legitimate, trusted services like SharePoint for credential phishing. Persistence mechanisms (like inbox rules) can effectively cloak an ongoing attack even after initial password resets.
- **What could have been done better:** Reliance on simple password resets is inadequate in Business Email Compromise (BEC) scenarios involving active mailbox manipulation; deeper security controls are needed to detect persistence.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Implement strict **Conditional Access Policies** in Azure AD/M365 that evaluate sign-ins based on user/group membership, IP location, and device status, denying suspicious logins.
2. Enforce **strong MFA** supplemented by zero-trust principles, being vigilant against post-compromise MFA policy changes.
3. Invest in advanced **anti-phishing solutions** capable of scanning emails and URLs visited in real-time.
4. Regularly audit **SharePoint access policies** and monitor for anomalous authentication patterns targeting file-sharing links.