AitM Phishing Campaign Hits Energy Sector via SharePoint

Microsoft Defender researchers disrupted a multi-stage attack campaign targeting energy sector organizations this week. The operation combined adversary-in-the-middle (AitM) phishing with business email compromise tactics, using SharePoint's file-sharing features to distribute malicious payloads and inbox rules to maintain persistence.

The campaign began January 19 and was "quickly disrupted," according to Microsoft's analysis published January 21. But the attack chain demonstrates how financially motivated actors continue refining techniques to bypass multi-factor authentication and leverage trusted internal identities.

The Attack Flow

Stage 1: Initial Compromise

The attack started with phishing emails carrying the subject line "NEW PROPOSAL – NDA." The emails originated from a compromised account at a trusted organization—not a spoofed address, but an actual compromised internal identity.

Each email contained a SharePoint link. Because the link pointed to legitimate Microsoft infrastructure and came from a trusted sender, it bypassed traditional email security controls and appeared legitimate to recipients.

Stage 2: Credential Theft

Users who clicked the SharePoint link landed on a fake login page. The page captured credentials and forwarded them to the legitimate Microsoft login, simultaneously intercepting the authenticated session cookie.

This AitM technique defeats MFA. The user authenticates normally, but the attacker captures the session token and uses it to sign in from a different IP address. Password resets won't help—the attacker already has an authenticated session.

Stage 3: Persistence via Inbox Rules

With access established, attackers created inbox rules to delete incoming emails and mark everything as read. This serves two purposes: it prevents the victim from noticing suspicious activity, and it hides any warning emails from Microsoft or security teams.

The attackers also responded to recipients who questioned whether the phishing emails were legitimate, actively working to convince skeptical targets that the messages were genuine.

Stage 4: Lateral Movement

From compromised accounts, attackers sent hundreds of additional phishing emails to the victims' contacts. This expanded the campaign's reach within and across organizations, leveraging the trust associated with internal email addresses.

Why Energy Sector?

The targeting of energy organizations fits a pattern. Energy companies manage critical infrastructure, handle sensitive operational data, and often maintain relationships with government entities—making them attractive targets for both espionage and financial crime.

This campaign appears financially motivated rather than state-sponsored, based on the BEC component. But the techniques would work equally well for nation-state actors seeking initial access to critical infrastructure networks. We've covered multiple threat intelligence stories about APT groups targeting energy infrastructure for espionage purposes.

Mitigations That Actually Work

Microsoft's guidance emphasizes that standard MFA doesn't stop AitM attacks. The attackers aren't defeating MFA—they're stealing the authenticated session after MFA succeeds.

Revoke active sessions. Password resets alone are insufficient. After any suspected compromise, revoke all active session cookies and force reauthentication.

Remove attacker-created inbox rules. Check compromised mailboxes for rules that delete or redirect mail. Attackers use these for persistence and detection evasion.

Implement conditional access policies. Sign-in requests can be evaluated using additional signals: device compliance, IP location, user risk score. These add friction that session theft can't bypass.

Enable token protection. Microsoft offers features to bind tokens to specific devices, making stolen session cookies useless on attacker infrastructure.

Monitor for SharePoint-based phishing. Legitimate file-sharing links are hard to distinguish from malicious ones. User education about unexpected NDA or proposal requests can help.

The campaign mirrors tactics we've seen in other phishing attacks abusing cloud infrastructure. Attackers increasingly leverage trusted platforms to bypass security controls that would catch obviously malicious domains.

The Inbox Rule Problem

Inbox rules represent an underappreciated persistence mechanism. Once an attacker has mailbox access, they can create rules that automatically delete security alerts, forward sensitive emails to external addresses, or hide evidence of ongoing compromise.

Security teams should audit mailbox rules periodically, especially for accounts with elevated privileges. Look for rules that delete mail based on sender or subject, redirect mail to external addresses, or mark mail as read automatically.

Microsoft provides PowerShell commands to list inbox rules across an organization. Given the prevalence of BEC attacks, regular inbox rule audits should be standard practice for security operations.

For organizations looking to understand phishing tactics better, our phishing email examples guide covers the social engineering techniques attackers use to make malicious messages convincing.