Microsoft SharePoint Abused in Phishing Attacks Targeting Energy Companies

Microsoft 365 recently had an outage, but the cybersecurity landscape keeps moving fast, and attackers have now turned Microsoft’s own services into weapons.

As The Register reports, unknown threat actors targeted multiple energy-sector organizations by abusing Microsoft SharePoint file-sharing features to steal user credentials.

Attackers hijack trusted SharePoint links

The attackers started with previously compromised email accounts. From there, they sent phishing messages containing malicious SharePoint URLs that looked legitimate to employees. When users clicked the links, they landed on fake pages designed to capture login credentials.

Once attackers gained access, they took control of corporate inboxes. They created rules to delete incoming emails and automatically mark messages as read, hiding suspicious activity from victims.

Phishing spreads from inside the organization

Using the compromised accounts, attackers sent large phishing waves to internal and external contacts. In one documented case, a single hijacked inbox sent more than 600 phishing emails.

The messages targeted recent contacts and internal distribution lists, which made them appear trustworthy. Attackers actively monitored inboxes, deleted replies, removed out-of-office messages, and even responded to questions to maintain the illusion of legitimacy.

Any employee who interacted with the malicious links risked losing their own credentials, allowing the attack to spread further inside the organization.

Security researchers warn that simply resetting passwords may not fully remove attackers. Some groups use persistence techniques, including tampering with multi-factor authentication settings, to keep access even after cleanup attempts.

The incident highlights how trusted cloud services can become powerful tools for attackers when accounts get compromised.

In other Microsoft-related news, the company has pushed an update for Azure Database for MySQL and continues its transition toward Azure Monitoring, phasing out legacy monitoring tools.