Microsoft has issued a warning regarding a sophisticated adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign that is affecting organizations within the energy industry. The Microsoft Defender Security Research Team reported that this campaign exploits SharePoint file-sharing services to deliver phishing payloads and employs inbox rule creation to maintain persistence and evade user detection.
Details of the Attack
The attack begins with a phishing email likely sent from a compromised email address belonging to a trusted organization. By leveraging this legitimate channel, attackers send messages that appear to be SharePoint document-sharing workflows, which can easily deceive recipients into clicking on phishing links. This method, known as living-off-trusted-sites (LOTS), takes advantage of the familiarity of platforms like SharePoint and OneDrive, making it difficult for email detection systems to identify the threat.
Post-Exploitation Tactics
Once the attackers gain access to a victim’s account, they utilize the stolen credentials and session cookies to create inbox rules that delete incoming emails and mark all emails as read. This tactic allows them to send out phishing messages containing fake URLs designed to harvest credentials through AitM attacks. In one instance, Microsoft reported that over 600 phishing emails were dispatched to contacts of a compromised user, both internally and externally.
Mitigation and Response
Microsoft emphasized that the operational complexity of AitM attacks means that simple password resets are insufficient for remediation. Organizations must revoke active session cookies and eliminate any inbox rules created by the attackers. Microsoft has collaborated with affected customers to revoke multi-factor authentication (MFA) changes made by the attackers and to delete suspicious inbox rules.
Ongoing Threat Landscape
While the exact number of compromised organizations remains unclear, the incident underscores a broader trend where threat actors exploit trusted services to redirect users to credential harvesting sites. This tactic reduces the need for attackers to establish their own infrastructure, making their activities appear legitimate. Additionally, Microsoft noted that similar phishing techniques are being employed across various platforms, including Google Drive and AWS.
Organizations are encouraged to work with their identity providers to implement security controls such as phishing-resistant MFA, conditional access policies, and continuous access evaluation to enhance their defenses against such sophisticated attacks.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
