BECs Don't Always Target Your Emails
SharePoint is often the real target in business “email” compromises
“Crown Jewels” Often Live in SharePoint
Last week, we walked through a corporate espionage BEC where the attacker accessed emails containing sensitive data within just 10 seconds.
The industry term for these M365 attacks is ‘Business Email Compromise’ (BEC). Given this term, it’s fair to assume attackers are only targeting the user’s email account.
However, attackers often compromise Microsoft accounts looking for sensitive data.
That data is often in SharePoint. And, attackers know this.
We observe that in many cases, attackers don’t even bother looking at the user’s emails. Instead, they make a beeline for SharePoint.
Here’s why attackers love SharePoint:
Many companies store sensitive Word/Excel docs there.
It’s easier to search than email; folders are named by subject, files have descriptive names, so attackers can quickly find what they’re looking for.
It often contains both financial records (invoices, contracts) and credentials to other accounts (unfortunately, passwords.xlsx is still very common).
Let’s dive into a few cases that show how fast an attacker can pull data from SharePoint once they’re in.
Example 1: Credentials and Invoices
Here’s an attack timeline where the attacker quickly accesses credentials and invoices:
The attacker logs in at 6:17:20 AM PDT.
Within 8 seconds, at 6:17:28 AM PDT, they’re in the Shared Drives folder on SharePoint.
The subdirectories in Shared Drives are organized by user. Within each user’s directory, the folders are organized by subject.
The attacker quickly accesses credentialing log.docx, which is housed in the aptly named Credentials folder under user A’s directory.
The attacker also identifies an Financials folder in a separate user’s directory, and sure enough, finds invoices log.xlsx inside that folder.
Example 2: Legal Agreements and Expense Docs
Here’s another attack where the attacker gets ahold of a legal agreement and a doc containing expenses for a construction site:
The attacker logs in at 7:43:46 PM PDT and quickly targets the Documents directory in SharePoint.
Within 11 seconds, they’ve found a legal agreement for Acme Corp (anonymized), which naturally, is housed under ‘Acme Corp/Documents’.
Less than a minute later, the attacker’s identified ‘Documents/123 MULLHOLLAND EXPENSES’ (anonymized). Sure enough, inside this subdirectory, they find a document with expenses.
Takeaway: BEC is a Misnomer; SharePoint is a Target.
Despite the name business email compromise, these attacks aren’t just about email.
SharePoint is often the main prize for attackers. It’s where companies keep the good stuff—sensitive docs, spreadsheets, contracts, credentials—all neatly organized and easy to search.
We’ve seen many cases where attackers don’t even touch the mailbox. They log in, skip email entirely, and head straight for SharePoint.
And when they do, they move fast. Attackers can get their hands on sensitive data in less than 10 seconds.
It’s also worth remembering: SharePoint isn’t just a target—it can become a weapon. We’ve seen attackers use compromised SharePoint infrastructure to host malicious files and launch new phishing campaigns.
So next time you’re responding to a BEC and all the focus is on login anomalies or inbox rules, stop and ask: What did the attacker get from SharePoint?
If SharePoint’s in scope for the attacker, it better be in scope for you as a defender too.
If you’re spending a lot of time on M365 attacks, shoot me a note on LinkedIn. Always happy to share what we’re seeing in the latest attacks here at Petra.