TZUTC: -0500   
   MSGID: 2041.consprcy@1:2320/105 2dda214c   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Microsoft SharePoint exploited to hack multiple energy firms   
      
   Date:   
   Fri, 23 Jan 2026 18:10:00 +0000   
      
   Description:   
   Hackers are abusing SharePoint to break into people's emails and propagate   
   further throughout the networks.   
      
   FULL STORY   
      
   Hackers are, once again, using SharePoint to target large energy firms, steal   
   employee email credentials, and propagate the attack further.    
      
   This is according to a new report from Microsoft, which claims multiple large   
   organizations in the energy sector were already targeted.    
      
   The attack starts from a previously compromised email account . The crooks    
   use it for initial contact, sending a legitimate-looking email with a   
   SharePoint link. When clicked, the link redirects the victims to a   
   credential-harvesting website, where they are prompted to log in.   
      
   What to do to stay safe   
      
   Victims that try to log in actually share their credentials with the   
   attackers, who gain access to real corporate email accounts, and access them   
   from a different IP address. After that, they take a few steps to establish   
   persistence while hiding from the victims.    
      
   Those steps include creating an inbox rule to delete incoming messages, and   
   marking emails as read.    
      
   In the final step, the attackers send large volumes of new phishing emails to   
   both internal and external contacts, as well as distribution lists. The   
   inboxes are monitored, delivery failure and OOO emails are deleted and, in   
   order to maintain the appearance of legitimacy, responses are read and   
   questions are answered.    
      
   Microsoft did not share the details about the campaign and its success. We   
   dont know the exact number of organizations targeted, or how many people had   
   their inboxes compromised as a result.    
      
   The company did stress that for those that are compromised, simply resetting   
   the password will not suffice, since the crooks created rules and changed   
   settings that enable persistence even when they are ousted.    
      
   "Even if the compromised user's password is reset and sessions are revoked,   
   the attacker can set up persistence methods to sign-in in a controlled manner   
   by tampering with MFA ," Microsoft warns.    
      
   "For instance, the attacker can add a new MFA policy to sign in with a   
   one-time password (OTP) sent to the attacker's registered mobile number. With   
   these persistence mechanisms in place, the attacker can have control over the   
   victim's account despite conventional remediation measures."    
      
   Besides MFA, Microsoft also suggested conditional access policies that can   
   trigger alarms if certain conditions are met.    
      
    Via The Register    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/microsoft-sharepoint-exploited-to-hack-   
   multiple-energy-firms   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426