"The starting point of the attack is a phishing email likely sent from an email address belonging to a trusted organization, which was compromised beforehand. Abusing this legitimate channel, the threat actors sent out messages masquerading as SharePoint document‑sharing workflows to give it a veneer of credibility and trick recipients into clicking on phishing URLs. Because services like SharePoint and OneDrive are widely used in enterprise environments and the emails originate from a legitimate address, they are unlikely to raise suspicion,"
"The URL, for its part, redirects users to a fake credential prompt to view the purported document. Armed with access to the account using the stolen credentials and the session cookie, the attackers create inbox rules to delete all incoming emails and mark all emails as read."
A multi‑stage adversary‑in‑the‑middle (AitM) phishing and business email compromise (BEC) campaign targeted multiple energy‑sector organizations. Attackers used compromised trusted email addresses to send SharePoint‑style sharing messages, exploiting familiarity with SharePoint and OneDrive to evade suspicion and deliver phishing links. Successful credential theft and session cookie access enabled attackers to create inbox rules that delete incoming mail and mark messages as read, maintaining persistence and stealth. Compromised internal identities were leveraged to carry out large‑scale intra‑organizational and external phishing, expanding the campaign’s scope and enabling follow‑on BEC activity across multiple organizations.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]