Threat actors are leveraging the file-sharing service for payload delivery in AitM phishing and BEC attacks.
January 23, 2026 By Ionut Arghire
Threat actors have been abusing SharePoint for payload delivery in a new phishing campaign targeting energy organizations, Microsoft warns.
One multi‑stage attack analyzed by Microsoft started with adversary‑in‑the‑middle (AitM) phishing, where the victim received an email from the compromised account of a trusted organization.
The message featured a document‑sharing workflow theme and included a SharePoint URL that directed the victim to a landing page prompting them for their Microsoft credentials.
Next, the attackers set up for business email compromise (BEC), accessing the compromised inbox and creating rules to mark all messages as read and delete incoming emails. They then sent over 600 phishing emails to the victim’s contacts, with another phishing URL.
“The recipients were identified based on the recent email threads in the compromised user’s inbox,” Microsoft explains.