Listen to this Post
🎯 Introduction: A Sophisticated Phishing Operation Hitting Critical Infrastructure
Microsoft has disclosed details of a highly coordinated and multi-stage phishing campaign actively targeting organizations in the global energy sector. This operation is not a simple credential-harvesting scheme. Instead, it combines adversary-in-the-middle tactics, trusted cloud services, and post-compromise persistence techniques to quietly take control of business email accounts. By abusing legitimate platforms like SharePoint and manipulating inbox rules, attackers were able to remain hidden while expanding laterally inside and outside victim organizations. The campaign underscores how modern phishing has evolved into a complex identity-driven threat where password resets alone are no longer an effective defense.
🧩 Campaign Overview and Key Findings
Microsoft identified an active AiTM phishing campaign aimed primarily at energy sector organizations, using a layered approach designed to bypass traditional security controls. The attackers initially delivered phishing emails containing malicious URLs hosted through SharePoint file-sharing, a trusted Microsoft service that helped the links evade suspicion. Once a victim interacted with the link, attackers intercepted authentication sessions rather than just stealing passwords.
After gaining access, the threat actors created malicious inbox rules to automatically hide security alerts, phishing replies, and evidence of compromise. This allowed them to maintain persistence without triggering immediate detection. The campaign escalated further when attackers reused compromised accounts to launch additional AiTM phishing attempts, both internally within the same organization and externally to partner entities.
Microsoft observed that users who clicked on the initial phishing links were frequently targeted again in follow-up AiTM attacks. Defender Experts correlated compromised accounts by analyzing landing IP addresses and sign-in behavior patterns, revealing coordinated session hijacking across multiple identities. The activity ultimately resulted in widespread business email compromise, demonstrating how quickly trust can be weaponized once internal accounts are abused.
🔗 Observed Attack Chain in the AiTM Campaign
The attack chain began with phishing emails sent to energy sector employees, containing SharePoint-hosted links leading to attacker-controlled AiTM pages. When users authenticated, the attackers captured active session tokens, allowing them to bypass MFA protections. With valid sessions in hand, they accessed mailboxes, modified inbox rules, and sometimes altered MFA settings to further entrench themselves.
Subsequently, compromised accounts were leveraged to send additional phishing messages, increasing credibility and expanding the attack surface. This internal propagation made the campaign especially dangerous, as recipients were more likely to trust emails originating from known colleagues or partners.
🛡️ Detection and Response by Microsoft Defender XDR
Microsoft Defender XDR detected the campaign by identifying anomalous sign-in patterns across multiple user accounts and the presence of suspicious inbox rules. Defender Experts responded by disrupting active AiTM activity, automatically purging phishing emails, and assisting organizations in recovering compromised identities.
Crucially, Microsoft emphasized that effective remediation required more than resetting passwords. Because AiTM attacks steal active authentication sessions, defenders had to revoke session cookies, undo unauthorized MFA changes, and remove malicious inbox rules. Without these steps, attackers could retain access even after credentials were changed.
🧠 What Undercode Say:
Identity Is Now the Primary Attack Surface
This campaign reinforces a critical shift in modern cybercrime. Attackers are no longer focused solely on stealing passwords. They are targeting identity sessions themselves, exploiting the gap between authentication and continuous access validation. AiTM attacks thrive in environments where session lifetimes are long and monitoring is limited.
Trusted Platforms Are Being Turned into Delivery Weapons
The abuse of SharePoint highlights a growing trend where attackers hide behind legitimate cloud services. Security teams often hesitate to block or heavily scrutinize traffic from trusted platforms, creating an ideal blind spot. This tactic blurs the line between benign collaboration tools and active threat infrastructure.
Inbox Rules as a Persistence Mechanism
Malicious inbox rules remain one of the most underrated persistence techniques in business email compromise. By silently filtering alerts and replies, attackers can operate for extended periods without detection. Many organizations still fail to routinely audit mailbox rules, leaving a critical visibility gap.
MFA Alone Is No Longer a Silver Bullet
While Microsoft correctly stresses the importance of MFA, this incident shows that MFA without conditional access, continuous evaluation, and session revocation is incomplete. AiTM attacks exploit the moment after successful authentication. Defense strategies must assume credentials and sessions will be exposed at some point.
The Energy Sector Faces Elevated Risk
Energy organizations are attractive targets due to their strategic importance, complex supply chains, and reliance on email-based coordination. A single compromised mailbox can ripple across partners and contractors, amplifying the impact far beyond one organization.
🔍 Fact Checker Results
✅ Microsoft confirmed active exploitation of AiTM phishing techniques targeting the energy sector.
✅ Defender XDR successfully identified malicious inbox rules and anomalous sign-in behavior.
❌ Password resets alone were proven insufficient to remediate session-based compromise.
📊 Prediction
⚡ AiTM phishing will increasingly replace traditional credential theft in high-value sectors.
⚡ Cloud collaboration platforms will remain prime abuse vectors for trusted phishing delivery.
⚡ Organizations that fail to implement continuous access evaluation will see longer breach dwell times.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
