Overview
- Attackers sent SharePoint-themed emails with subjects like “New Proposal – NDA” from previously compromised trusted accounts to lure energy-sector employees to proxy login pages.
- The phishing sites harvested credentials and session cookies, enabling sign-ins from other IPs — including 178.130.46.8 and 193.36.221.10 — that bypassed MFA protections.
- Once inside, the intruders created mailbox rules to hide activity, monitored threads, deleted out-of-office and undeliverable notices, and replied to skeptical recipients before wiping traces.
- Compromised mailboxes were used to launch new waves of phishing, including one case in which more than 600 emails were sent to internal and external contacts and distribution lists.
- Microsoft published guidance and said effective response requires revoking active sessions, removing attacker-created rules, auditing and undoing malicious MFA changes, and enforcing conditional access with phishing-resistant authentication.