Trusted Platform Phishing: Cyber Insurance Risks from SharePoint & Power BI Attacks

The Trusted Platform Paradox: When Power BI and SharePoint Become Phishing Vectors

On February 6, 2025, a threat intelligence report detailed a sophisticated phishing campaign that exploits two of the most widely deployed business tools in the enterprise: Microsoft SharePoint and Power BI. The attack chain is deceptively simple—a seemingly legitimate SharePoint link embedded in an email redirects the user through a Power BI report, ultimately landing on a credential-harvesting page that mimics a Microsoft login. For an industry that has spent years training users to distrust unknown domains and random attachments, this campaign represents a dangerous evolution: the weaponization of trusted platforms.

This is not a theoretical risk. Microsoft Power BI is used by over 3 million organizations globally, and SharePoint serves as the document management backbone for hundreds of thousands of enterprises. When attackers exploit the trust users place in these tools, they bypass traditional security controls and exploit a fundamental human bias—familiarity. For CISOs, risk engineers, and insurance underwriters, this campaign signals a shift in the risk environment that demands a re-evaluation of cyber insurance underwriting, loss modeling, and risk mitigation strategies.

Anatomy of the Attack: How Trusted Platforms Enable Credential Theft

The campaign, first identified by threat researchers in early February 2025, follows a multi-stage process that uses Microsoft’s own infrastructure to evade detection.

1. Initial Email: The victim receives an email that appears to come from a known contact or internal system. The email contains a link to a SharePoint document or a Power BI dashboard. Because the link points to a legitimate sharepoint.com or powerbi.com domain, email security gateways and URL reputation filters typically allow it.

2. Redirect to Power BI: Clicking the SharePoint link triggers a redirect to a Power BI report. The attacker has created a Power BI workspace with a report that contains an embedded link or a custom visual. Power BI reports can include web content, images, and interactive elements. The attacker uses this to display a fake Microsoft login prompt or to redirect the user to an external phishing page.

3. Credential Harvesting: The user, seeing a familiar Microsoft-branded interface, enters their credentials. The attacker captures these and can then use them to access the victim’s actual Microsoft 365 account, including email, SharePoint files, and other connected services.

4. Lateral Movement: Once inside, the attacker can move laterally within the organization, potentially accessing sensitive data, deploying ransomware, or exfiltrating information.

The key innovation here is the use of Power BI as a redirector. Power BI reports can be shared publicly or within an organization, and they can contain embedded HTML or JavaScript. Attackers are using this functionality to host the phishing content on a domain that is inherently trusted by security tools and users alike.

Insurance Implications: Claims Frequency, Severity, and Coverage Gaps

For cyber insurers, this campaign has direct implications for claims frequency and severity. Phishing remains the leading cause of data breaches and ransomware infections, accounting for over 40% of all cyber insurance claims in 2024, according to industry loss data. The use of trusted platforms like Power BI and SharePoint increases the likelihood of successful phishing because:

• Higher success rate: Traditional phishing emails have a click-through rate of roughly 3–5%. When the link points to a legitimate domain, that rate can double or triple because users are less suspicious.
• Faster credential compromise: Credential theft from Microsoft 365 accounts is often the precursor to business email compromise (BEC) or ransomware. BEC claims alone cost insurers over $2.9 billion in 2024.
• Delayed detection: Because the attack uses legitimate infrastructure, security teams may not detect the breach until after lateral movement has occurred, increasing the severity of the incident.

Coverage gaps also emerge. Many cyber insurance policies have sub-limits for social engineering fraud or funds transfer fraud, but credential theft itself is often covered under first-party breach response costs. However, if the attacker uses the stolen credentials to access cloud services, the policy may need to address cloud-specific exclusions. For example, some policies exclude losses arising from the use of “authorized credentials” even if obtained fraudulently. This campaign highlights the need for clear language around credential theft and cloud account takeover.

Technical Mechanics for Business Audiences: How Power BI Becomes a Weapon

To understand the risk, it helps to know how Power BI works at a functional level. Power BI is a business analytics tool that allows users to create interactive dashboards and reports. These reports can include static data, dynamic visuals, and even embedded web content via the “Web Viewer” or “Power Apps” integration.

Attackers are exploiting a feature called “custom visuals” or “report-level security” to inject malicious code. Specifically:

• Embedded HTML/JavaScript: A Power BI report can contain a text box or a custom visual that renders HTML. An attacker can embed a fake login form or a redirect script that sends the user to an external phishing site.
• Shared links: Power BI reports can be shared via a link that does not require authentication. Attackers set the report to “Anyone with the link can view” and then distribute the link via email or social media.
• Redirect via SharePoint: SharePoint document libraries can include links to Power BI reports. The attacker uploads a document with an embedded link, or modifies a shared document to point to the malicious Power BI report.

The business impact is that this attack is extremely difficult to block with traditional security tools. URL filtering lists allow powerbi.com and sharepoint.com. Email security solutions that use machine learning to detect phishing may not flag an email containing a link to a legitimate domain. Multi-factor authentication (MFA) can mitigate credential theft, but many organizations still do not enforce MFA for all users, and attackers are increasingly using MFA fatigue attacks in combination with credential harvesting.

Underwriting and Coverage Considerations

Underwriters must update their risk assessment models to account for the increased likelihood of credential theft via trusted platforms. Key underwriting signals to consider:

• MFA adoption: Organizations that enforce MFA for all external-facing applications, especially Microsoft 365, should receive more favorable terms. Those that rely solely on single-factor authentication face higher risk.
• Security awareness training: Traditional phishing training that focuses on suspicious domains and attachments is insufficient. Training must now include scenarios involving trusted platforms, such as “Is this SharePoint link expected?” and “Verify the Power BI report source.”
• Cloud security posture: Underwriters should evaluate the organization’s use of Microsoft 365 security features, including Conditional Access policies, session timeout settings, and app consent policies. The ability to restrict Power BI sharing to internal users only can reduce exposure. For a detailed cyber risk quantification framework, see our FAIR risk report tool.
• Incident response readiness: Policies should require that organizations have a plan for cloud account takeover, including the ability to revoke sessions, reset credentials, and audit logins quickly.

Coverage implications are equally important. Insurers may consider adding exclusions for losses caused by credential theft that bypasses MFA, or they may require specific controls as a condition of coverage. The use of trusted platforms as attack vectors could also trigger sub-limits for “social engineering” or “funds transfer fraud,” depending on policy language. Underwriters should review how their forms define “authorized user” and “credential theft” to avoid unintended coverage gaps.

Mitigation Strategies for Insureds

Organizations can reduce their exposure to this type of attack through several concrete measures:

• Enforce MFA with conditional access: Require MFA for all external access to Microsoft 365, and use Conditional Access policies to block sign-ins from untrusted locations or devices.
• Restrict Power BI sharing: Configure Power BI tenant settings to prevent sharing reports with “Anyone with the link.” Only allow sharing within the organization or with specific external users after approval.
• Monitor Power BI activity: Use Microsoft 365 audit logs to detect unusual Power BI report creation or sharing patterns. Set alerts for reports that contain embedded web content.
• Educate users on trusted-platform phishing: Include specific examples in security awareness training that show how attackers can use SharePoint and Power BI to harvest credentials.
• Implement session timeout and re-authentication: Force users to re-authenticate after a period of inactivity, especially for access to sensitive data.

These controls not only reduce the likelihood of a successful attack but also demonstrate a strong security posture to underwriters, potentially leading to better policy terms.

Conclusion

The weaponization of Microsoft SharePoint and Power BI marks a new chapter in phishing attacks. By exploiting the trust users place in familiar platforms, attackers bypass traditional defenses and increase the probability of credential theft. For the cyber insurance industry, this campaign underscores the need to update underwriting models, clarify coverage language, and encourage insureds to adopt cloud-specific security controls. Organizations that fail to adapt will face higher claims frequency and severity, while those that proactively address these risks will strengthen their resilience against an evolving threat environment.