"Unknown attackers are abusing Microsoft SharePoint file-sharing services to target multiple energy-sector organizations, harvest user credentials, take over corporate inboxes, and then send hundreds of phishing emails from compromised accounts to contacts inside and outside those organizations. The attackers likely used previously-compromised email addresses to gain initial access to "multiple" energy-sector organizations targeted in this campaign, according to Redmond, which detailed the digital intrusions in a Wednesday report."
"These emails contained a SharePoint URL requiring user authentication and subject lines such as "New Proposal - NDA" to make them appear legitimate. People who clicked on the URL were redirected to a website that required them to enter user credentials, thus giving the criminals valid usernames and passwords to use in later stages of these attacks. Then, the attackers signed in to the compromised accounts with another IP address and created an inbox rule to delete all incoming emails and mark all the emails as read."
Unknown attackers abused Microsoft SharePoint file-sharing services to phish credentials and compromise energy-sector organizations. The attackers likely began with previously compromised email addresses to deliver phishing messages containing SharePoint URLs that required user authentication. Users who entered credentials handed over valid usernames and passwords, enabling attackers to sign in from different IP addresses, create inbox rules to hide messages, and mark emails as read. Compromised accounts were used to send hundreds of phishing emails to contacts and distribution lists identified from recent threads, with attackers monitoring inboxes, reading replies, responding to questions, and deleting messages to cover their tracks.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]