Microsoft Defender researchers have exposed a sophisticated adversary-in-the-middle (AiTM) phishing campaign targeting energy sector organizations, leveraging SharePoint file-sharing services to bypass traditional email security controls and compromise multiple user accounts.
SharePoint Abuse for Initial Access
The attack began with a phishing email sent from a compromised trusted vendor’s email address, embedding SharePoint URLs that mimicked legitimate document-sharing workflows.
Attackers exploited SharePoint’s enterprise credibility to deliver malicious payloads that evaded standard email detection mechanisms.
When victims authenticated and clicked the SharePoint link, they were redirected to a credential harvesting page designed to steal login credentials and session cookies.
Following successful credential theft, attackers signed in from different IP addresses and immediately created malicious inbox rules configured to delete and mark all incoming emails as read.
This tactic kept victims unaware of the ongoing compromise while the attackers launched a large-scale phishing campaign, sending over 600 malicious emails to the victim’s internal and external contacts identified from recent email threads.
The campaign evolved into business email compromise (BEC) operations as attackers monitored victims’ mailboxes, deleting undelivered messages and out-of-office replies from the Archive folder.
When recipients questioned the authenticity of phishing emails, attackers responded directly from compromised accounts to falsely legitimize the messages before deleting all evidence.
Recipients who clicked on the phishing URLs within the organization became targets of secondary AiTM attacks.
Microsoft Defender Experts identified all compromised users by analyzing landing page IP addresses and sign-in patterns, uncovering the attack’s full scope across multiple organizations.
Microsoft emphasizes that password resets alone cannot remediate AiTM attacks. Organizations must revoke active session cookies, delete attacker-created inbox rules, and reverse any MFA setting changes made by threat actors.
Attackers often establish persistence by registering additional MFA methods, allowing continued access even after password changes.
Indicators of Compromise:
Attacker infrastructure IPs: 178.130.46.8, 193.36.221.10Energy sector organizations should immediately audit inbox rules, review recent sign-in activity for anomalous IP addresses, and ensure MFA is complemented with risk-based conditional access policies to defend against session hijacking attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.