Key Takeaways
- Unknown attackers are targeting energy-sector organizations using Microsoft SharePoint file-sharing services to harvest user credentials and send phishing emails.
- The attackers use previously compromised email addresses to gain initial access and create inbox rules to delete incoming emails and mark them as read.
- The attackers send new phishing emails from compromised accounts to contacts inside and outside the organization, using subject lines such as "New Proposal – NDA" to appear legitimate.
- Enabling multi-factor authentication (MFA) and conditional access policies can help prevent these types of attacks.
- Investing in anti-phishing products can also help scan incoming messages and visited websites for potential threats.
Introduction to the Attack
Unknown attackers are abusing Microsoft SharePoint file-sharing services to target multiple energy-sector organizations, harvest user credentials, take over corporate inboxes, and send hundreds of phishing emails from compromised accounts to contacts inside and outside those organizations. The attackers likely used previously-compromised email addresses to gain initial access to the targeted organizations. These email addresses were used to send emails containing a SharePoint URL that required user authentication, with subject lines such as "New Proposal – NDA" to make them appear legitimate. People who clicked on the URL were redirected to a website that required them to enter user credentials, thus giving the criminals valid usernames and passwords to use in later stages of these attacks.
The Attack Methodology
The attackers signed in to the compromised accounts with another IP address and created an inbox rule to delete all incoming emails and mark all the emails as read. This allowed them to remain undetected and continue their malicious activities without being noticed by the account owners. From these compromised inboxes, the attackers sent out new phishing emails – in one case involving more than 600 emails sent with another phishing URL. The recipients of these emails were identified based on the recent email threads in the compromised user’s inbox, and the emails were sent to the compromised user’s contacts, both within and outside of the organization, as well as distribution lists.
Post-Compromise Activities
After sending out the new phishing emails, the attacker kept an eye on the victim’s inbox, deleting any out-of-office or undeliverable messages. They also read email responses and responded to any questions about the legitimacy of the phish. These emails and responses were also later deleted by the attacker, making it difficult to detect the malicious activities. Anyone from within an energy organization who clicked on the malicious URL was also targeted for credential theft and account takeover. The attackers’ goal was to maintain control over the compromised accounts and continue sending phishing emails to harvest more credentials and gain access to sensitive information.
Mitigation and Remediation
While the usual recommendation for any type of identity compromise is to reset the password, in these types of attacker-in-the-middle scams, a password reset alone is not sufficient to address the issue. According to Microsoft, even if the compromised user’s password is reset and sessions are revoked, the attacker can set up persistence methods to sign-in in a controlled manner by tampering with multi-factor authentication (MFA). For instance, the attacker can add a new MFA policy to sign in with a one-time password (OTP) sent to the attacker’s registered mobile number. With these persistence mechanisms in place, the attacker can have control over the victim’s account despite conventional remediation measures.
Prevention and Protection
To prevent these types of attacks, Microsoft recommends enabling MFA, which remains an essential pillar in stopping a range of cyber threats. Additionally, enabling conditional access policies that evaluate sign-in requests using additional identity-driven signals like user or group membership, IP location information, and device status can help prevent attackers from gaining access to compromised accounts. If these signals trigger a security alert, the suspicious sign-in is denied. Investing in anti-phishing products that scan incoming messages and visited websites can also help detect and prevent phishing attacks. By taking these measures, organizations can reduce the risk of falling victim to these types of attacks and protect their sensitive information.
Conclusion
The attack on energy-sector organizations using Microsoft SharePoint file-sharing services highlights the importance of implementing robust security measures to prevent cyber threats. By enabling MFA, conditional access policies, and investing in anti-phishing products, organizations can reduce the risk of falling victim to these types of attacks. It is essential for organizations to be aware of these types of attacks and take proactive measures to protect their sensitive information and prevent cyber threats. By staying vigilant and taking the necessary precautions, organizations can minimize the risk of cyber attacks and maintain the security and integrity of their systems and data.
