Article Details

Crims compromised energy firms' Microsoft accounts, sent 600 phishing emails. Logging in, not breaking in. Unknown attackers are abusing Microsoft SharePoint file-sharing services to target multiple energy-sector organizations, harvest user credentials, take over corporate inboxes, and then send hundreds of phishing emails from compromised accounts to contacts inside and outside those organizations. The attackers likely used previously-compromised email addresses to gain initial access to "multiple" energy-sector organizations targeted in this campaign, according to Redmond, which detailed the digital intrusions in a Wednesday report.  These emails contained a SharePoint URL requiring user authentication and subject lines such as "New Proposal - NDA" to make them appear legitimate. People who clicked on the URL were redirected to a website that required them to enter user credentials, thus giving the criminals valid usernames and passwords to use in later stages of these attacks. Then, the attackers signed in to the compromised accounts with another IP address and created an inbox rule to delete all incoming emails and mark all the emails as read. And from these compromised inboxes, the miscreants sent out new phishing emails - in one case involving more than 600 emails sent with another phishing URL.  "The emails were sent to the compromised user's contacts, both within and outside of the organization, as well as distribution lists," the Microsoft researchers said. "The recipients were identified based on the recent email threads in the compromised user's inbox." In this particular case, after sending out the new phishing emails, the attacker kept an eye on the victim's inbox, deleting any out-of-office or undeliverable messages. They also read email responses and responded to any questions about the legitimacy of the phish. These emails and responses were also later deleted by the attacker.  Anyone from within an energy org who clicked on the malicious URL was also targeted for credential theft and account takeover. The Register asked Microsoft how many organizations were compromised, if its threat hunters have any idea who is behind these attacks, and whether they remain ongoing. We didn't receive any answers from Redmond, but will update this story if and when that changes. While the usual recommendation for any type of identity compromise is to reset the password, in these types of attacker-in-the-middle scams - where the criminal intercepts and relays messages between two parties, allowing them to steal sensitive data and snoop on victims' communications - a password reset alone isn't sufficient to address the issue. "Even if the compromised user's password is reset and sessions are revoked, the attacker can set up persistence methods to sign-in in a controlled manner by tampering with MFA," Redmond warns. "For instance, the attacker can add a new MFA policy to sign in with a one-time password (OTP) sent to the attacker's registered mobile number. With these persistence mechanisms in place, the attacker can have control over the victim's account despite conventional remediation measures." Still, multi-factor authentication (MFA) "remains an essential pillar" in stopping a range of cyber threats, so do enable that.  Microsoft also suggests enabling conditional access policies that evaluate sign-in requests using additional identity-driven signals like user or group membership, IP location information, and device status. If these signals trigger a security alert, the suspicious sign-in is denied. Investing in anti-phishing products that scan incoming messages and visited websites can also help.