Crims compromised energy firms’ Microsoft accounts, sent 600 phishing emails
Summary
Unknown attackers abused Microsoft SharePoint file-sharing links to harvest credentials and take over Microsoft accounts at multiple energy-sector organisations. The campaign began using previously-compromised email addresses to send messages containing a SharePoint URL that required authentication. Victims who entered credentials handed attackers valid usernames and passwords. The adversaries then logged in from other IPs, created inbox rules to hide incoming messages, monitored replies and deleted evidence, and used the hijacked accounts to send hundreds of follow-on phishing emails — one incident involved more than 600 messages sent to contacts and distribution lists.
Key Points
- Attackers used SharePoint links that prompted users to enter credentials, enabling credential harvesting rather than exploiting a vulnerability.
- Initial access likely came from previously-compromised email addresses to target multiple energy organisations.
- Compromised accounts were used to create inbox rules (delete/mark-read) to hide malicious activity and maintain control.
- From hijacked mailboxes the threat actors sent hundreds of phishing emails to the victim’s contacts and distribution lists, leveraging trust.
- Attackers monitored replies, answered questions to legitimise the phish, and removed traces (out-of-office, undeliverables, responses).
- Password resets alone may be insufficient because attackers can add persistence such as registering OTPs to their device numbers or tampering with MFA.
- Microsoft recommends strong MFA, conditional access policies, and anti-phishing detection tools as mitigations.
Context and relevance
This campaign is a textbook example of credential-harvesting followed by account takeover and internal BEC-style amplification. Energy-sector organisations are high-value targets where trust relationships and distribution lists make lateral phishing particularly damaging. The attack highlights that social engineering + legitimate cloud services (SharePoint) can be combined to bypass simple defences and scale attacks quickly.
Why should I read this?
If you work in security or in an energy (or critical infrastructure) org, read this — it’s exactly the sort of sneaky trick that turns one compromised inbox into a mass phishing event. Short version: people clicked, attackers logged in, inboxes were quietly rigged, and hundreds of apparently legitimate messages spread. Knowing the pattern saves you from being the next hit.