Power BI Phishing: How Trusted Platforms Fuel Cyber Insurance Claims

When Trusted Platforms Become Attack Vectors: The Power BI Phishing Campaign

On February 6, 2025, a new threat intelligence report detailed a sophisticated phishing campaign that exploits two widely trusted Microsoft platforms: SharePoint and Power BI. The attack chain starts with a seemingly legitimate SharePoint link, which then redirects victims to a fake Power BI login page designed to harvest credentials. Over 1,800 organizations across financial services, healthcare, and manufacturing have been targeted in the past 30 days, according to the report. For cyber insurance professionals, this campaign represents a growing class of risk where trusted business tools are weaponized, making detection harder and claims more likely.

What Happened: The Attack Chain in Plain Language

The campaign begins with a phishing email that appears to come from a known colleague or business partner. The email contains a link to a SharePoint file—often a “Quarterly Report” or “Invoice.” When the recipient clicks the link, they are taken to a legitimate SharePoint page that hosts a malicious file. That file, typically an .html or .aspx page, automatically redirects the browser to a fake Microsoft Power BI login screen.

The fake login page is visually identical to the real Power BI sign-in, complete with the organization’s logo and branding (harvested from the victim’s email domain). If the user enters their credentials, the attacker captures them and immediately uses them to access the real Power BI environment, often exfiltrating dashboards and data reports. The attack is notable because it uses legitimate Microsoft infrastructure (SharePoint) as the initial redirect, bypassing many email security filters that block unknown domains.

Why This Matters for Insurance: Claims Frequency and Severity

This campaign directly impacts three key insurance metrics:

• Claims frequency: Credential theft is the leading cause of data breaches. By exploiting trusted platforms, attackers increase the success rate of phishing, leading to more incidents per insured portfolio. Early data from the report suggests a 40% higher click-through rate compared to standard phishing campaigns.
• Claims severity: Once inside Power BI, attackers can access sensitive business intelligence, customer data, and financial reports. The average cost of a breach involving business analytics platforms is estimated at $4.8 million (IBM, 2024), largely due to IP theft and regulatory fines.
• Coverage triggers: Many cyber policies require a “security failure” for coverage. If an employee voluntarily enters credentials on a fake login page, insurers may argue it was not a failure of technical controls but of user behavior. This gray area can lead to disputes.

For underwriters, the campaign signals a need to reassess how phishing simulations and multi-factor authentication (MFA) are evaluated. Organizations that have not extended MFA to Power BI and SharePoint are at significantly higher risk.

Technical Details (Explained for Business Decision-Makers)

The attack exploits a trust relationship between two Microsoft services. From a technical standpoint, the attacker does not need to compromise SharePoint or Power BI themselves. Instead, they use a feature called “SharePoint file embedding” to host a malicious HTML file that performs a server-side redirect. The redirect is invisible to the user because the URL in the browser remains on sharepoint.com until the fake login page loads.

Key technical points for risk engineers and CISOs:

• No malware involved: The attack is entirely credential-based. Traditional endpoint detection tools may not flag it because no executable is downloaded.
• MFA bypass potential: If the fake login page is set up as a reverse proxy (e.g., using tools like EvilGinx), it can capture session cookies and bypass MFA tokens. The report confirms that 30% of successful compromises in this campaign involved MFA bypass.
• Data exfiltration via Power BI APIs: Once inside, attackers use Power BI’s native export features to download dashboards and datasets. This is often logged as normal user activity, making detection difficult.

For underwriters, the key signal is whether the insured has implemented conditional access policies that require MFA for all cloud apps, including SharePoint and Power BI. Standard MFA on email alone is insufficient.

Implications for Coverage and Underwriting

This campaign exposes several coverage gaps that brokers and underwriters must address:

1. Social engineering exclusion language: Many policies exclude losses caused by “voluntary” credential sharing. If an employee was tricked by a convincing fake login page, is that voluntary? Courts have split on this. Underwriters should clarify whether the policy covers “deceptive” credential entry.

2. Business interruption from data loss: If attackers delete or corrupt Power BI datasets, the insured may face significant operational downtime. Standard cyber policies often limit BI coverage to network outages, not data corruption. Brokers should check if the policy includes “data loss” as a covered cause of loss.

3. Regulatory fines and notification costs: Breaches involving business analytics platforms often trigger GDPR, HIPAA, or CCPA notification requirements because the data is typically structured and identifiable. Underwriters should ensure sub-limits for regulatory defense are adequate.

4. Risk scoring adjustments: Insurers using cyber risk quantification tools, such as Resiliently’s FAIR-based risk reports, should adjust loss exceedance curves to account for the higher probability of credential theft via trusted platforms. The campaign increases the likelihood of a breach by an estimated 15–20% for organizations using Power BI without conditional access.

Actionable Recommendations for Each Audience

For CISOs and risk engineers:

• Implement conditional access policies that require MFA for all Microsoft 365 apps, especially SharePoint and Power BI.
• Deploy browser isolation or URL rewriting for all inbound links, even those from trusted domains.
• Train users to verify the URL in the address bar before entering credentials. The fake login page will have a slightly different domain (e.g., powerbi-login.com instead of powerbi.microsoft.com).
• Monitor Power BI audit logs for unusual export activity, such as multiple dashboard downloads in a short period.

For brokers and underwriters:

• Ask insureds for their MFA coverage scope. If MFA is not enforced on SharePoint and Power BI, consider a premium surcharge or exclusion.
• Review policy language around “social engineering” and “voluntary parting.” Ensure that credential theft via deceptive login pages is explicitly covered.
• Use threat intelligence feeds to track whether the insured’s industry is being actively targeted. The campaign has focused on financial services and healthcare so far.

For all stakeholders:

• Run a tabletop exercise simulating a Power BI credential theft incident. Test whether incident response plans include revoking session tokens and disabling OAuth apps.
• Consider purchasing standalone cyber crime coverage for funds transfer fraud, as attackers may use stolen Power BI access to manipulate financial reports and initiate fraudulent wire transfers.

The Takeaway

The Power BI phishing campaign is not a novel technical exploit—it is a novel social engineering tactic that weaponizes trust in Microsoft’s ecosystem. For the insurance industry, it underscores a fundamental shift: attackers no longer need to break into systems; they only need to trick users into opening the door. Underwriters must update their risk models to reflect the higher frequency of credential theft when trusted platforms are involved. Brokers must ensure policy language is clear on what constitutes a “security failure.” And CISOs must extend security controls beyond email to every cloud application that holds sensitive data.