TZUTC: -0500
MSGID: 2041.consprcy@1:2320/105 2dda214c
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Microsoft SharePoint exploited to hack multiple energy firms

Date:
Fri, 23 Jan 2026 18:10:00 +0000

Description:
Hackers are abusing SharePoint to break into people's emails and propagate
further throughout the networks.

FULL STORY

Hackers are, once again, using SharePoint to target large energy firms, steal
employee email credentials, and propagate the attack further. 

This is according to a new report from Microsoft, which claims multiple large
organizations in the energy sector were already targeted. 

The attack starts from a previously compromised email account . The crooks 
use it for initial contact, sending a legitimate-looking email with a
SharePoint link. When clicked, the link redirects the victims to a
credential-harvesting website, where they are prompted to log in.

What to do to stay safe

Victims that try to log in actually share their credentials with the
attackers, who gain access to real corporate email accounts, and access them
from a different IP address. After that, they take a few steps to establish
persistence while hiding from the victims. 

Those steps include creating an inbox rule to delete incoming messages, and
marking emails as read. 

In the final step, the attackers send large volumes of new phishing emails to
both internal and external contacts, as well as distribution lists. The
inboxes are monitored, delivery failure and OOO emails are deleted and, in
order to maintain the appearance of legitimacy, responses are read and
questions are answered. 

Microsoft did not share the details about the campaign and its success. We
dont know the exact number of organizations targeted, or how many people had
their inboxes compromised as a result. 

The company did stress that for those that are compromised, simply resetting
the password will not suffice, since the crooks created rules and changed
settings that enable persistence even when they are ousted. 

"Even if the compromised user's password is reset and sessions are revoked,
the attacker can set up persistence methods to sign-in in a controlled manner
by tampering with MFA ," Microsoft warns. 

"For instance, the attacker can add a new MFA policy to sign in with a
one-time password (OTP) sent to the attacker's registered mobile number. With
these persistence mechanisms in place, the attacker can have control over the
victim's account despite conventional remediation measures." 

Besides MFA, Microsoft also suggested conditional access policies that can
trigger alarms if certain conditions are met. 

 Via The Register 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/microsoft-sharepoint-exploited-to-hack-
multiple-energy-firms

$$
--- SBBSecho 3.28-Linux
 * Origin: Capitol City Online (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426