Microsoft Flags Multi-Stage AitM Phishing and BEC Attacks Targeting Energy Firms

Microsoft's security research team has uncovered a multi-stage attack campaign targeting energy sector organizations that combines adversary-in-the-middle (AitM) phishing with business email compromise (BEC) techniques. The attackers are abusing SharePoint file-sharing services to deliver phishing payloads and creating inbox rules to maintain persistence while evading user awareness.

The campaign represents a significant evolution in how attackers leverage trusted enterprise services to bypass traditional email security controls. By using compromised email addresses from trusted organizations, the threat actors send messages masquerading as legitimate SharePoint document-sharing workflows. This approach, often called "living-off-trusted-sites" (LOTS), weaponizes the familiarity and ubiquity of platforms like SharePoint and OneDrive to subvert email-centric detection mechanisms.

The Attack Chain: From Trusted Links to Credential Theft

The attack begins with a phishing email sent from a previously compromised legitimate email address. The message appears to be a standard SharePoint document sharing notification, complete with corporate branding and familiar formatting. When recipients click the provided link—believing they're accessing a legitimate document—they're redirected to a fake credential prompt designed to harvest login information.

Once the attackers obtain credentials and session cookies, they immediately create inbox rules to delete all incoming emails and mark existing messages as read. This serves two purposes: it prevents the victim from seeing security alerts or suspicious activity, and it helps the attackers maintain access without raising alarms.

With this foundation established, the compromised account becomes a launchpad for further attacks. In one documented case, Microsoft observed the attacker sending over 600 phishing emails to the victim's contacts, both within and outside the organization. The attackers also took steps to delete undelivered emails and out-of-office replies, and they would respond to any concerns raised by recipients to assure them of the email's authenticity before deleting the correspondence from the mailbox.

Why Traditional Remediation Fails

Microsoft emphasized that this attack highlights the "operational complexity" of AitM threats. Simply resetting passwords doesn't solve the problem because the attackers maintain active session cookies. Organizations must take additional steps to:

1. Revoke all active session cookies
2. Remove attacker-created inbox rules
3. Revert any MFA changes made by the attacker
4. Scan for and delete suspicious rules across affected accounts

The company worked with affected customers to implement these remediation steps, but the process requires coordinated effort between security teams and identity providers.

Broader Context: The Rise of Trusted Service Abuse

This campaign fits into a larger trend of attackers abusing legitimate cloud services. Rather than building their own infrastructure—which would be more easily detected—threat actors are using:

• Google Drive for hosting malicious files
• AWS services for command and control
• Atlassian's Confluence for staging attacks
• SharePoint/OneDrive for phishing delivery

This approach makes malicious activity appear legitimate, as it originates from or redirects through trusted domains that security tools are less likely to flag.

Parallel Threats: Custom Phishing Kits and Visual Deception

The disclosure coincides with other sophisticated phishing techniques being observed in the wild. Okta recently detected custom phishing kits specifically designed for voice phishing (vishing) campaigns targeting Google, Microsoft, Okta, and cryptocurrency platforms.

These kits, sold as-a-service, include client-side scripts that allow attackers to control the authentication flow in real-time during a phone call. As Moussa Diallo, threat researcher at Okta Threat Intelligence, explains: "Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call."

This synchronization enables attackers to defeat any form of MFA that isn't phishing-resistant, including push notifications and one-time passwords.

Another technique involves exploiting Basic Authentication URLs by placing a trusted domain in the username field. For example, a URL like https://[email protected] will display the trusted domain to the user while the browser actually connects to the malicious domain after the @ symbol.

Homoglyph attacks are also gaining traction, where attackers replace letters with visually similar characters. The letter "m" is commonly swapped with "rn" (as in rnicrosoft.com), making domains like rnastercard.de or rnarriotthotels.com appear legitimate at a glance. This technique is particularly effective when used in mid-word positions within common terms like "email," "message," or "confirmation."

Practical Defense Recommendations

Microsoft and security researchers recommend several layered defenses:

1. Phishing-Resistant MFA

Implement FIDO2/WebAuthn-based authentication that can't be phished through man-in-the-middle attacks. Traditional push notifications and OTP codes are vulnerable to the techniques described.

2. Conditional Access Policies

Configure policies that evaluate risk signals like device compliance, location, and user behavior before granting access. For example, block access from unfamiliar locations or require additional verification for sensitive operations.

3. Continuous Access Evaluation

Enable real-time token revocation so that when suspicious activity is detected, active sessions can be terminated immediately rather than waiting for token expiration.

4. Email Security Enhancements

Deploy anti-phishing solutions that:

• Scan incoming emails for suspicious patterns
• Monitor visited websites for credential harvesting
• Analyze URL structures for homoglyph attacks and Basic Authentication abuse
• Flag emails from trusted domains that contain unusual formatting or requests

5. User Education with Specific Focus

Train users to:

• Verify SharePoint links by checking the actual destination URL
• Be skeptical of urgent document-sharing requests
• Report any unexpected MFA prompts
• Recognize that legitimate services won't ask for credentials via email links

6. Monitoring and Detection

Implement monitoring for:

• Unusual inbox rule creation
• Mass email sending from user accounts
• Session cookie anomalies
• Changes to MFA configurations

The Identity Security Imperative

This campaign underscores that identity has become the primary attack surface. Traditional perimeter defenses are insufficient when attackers can:

1. Compromise trusted identities
2. Use those identities to bypass email filters
3. Maintain persistence through session cookies and inbox rules
4. Scale attacks using the victim's own contacts and reputation

The energy sector is particularly attractive to attackers due to its critical infrastructure status and the potential for significant disruption. However, these techniques are applicable across all industries that rely on cloud productivity suites.

Looking Ahead

As attackers continue to refine their methods, organizations must adopt a defense-in-depth approach that assumes some level of compromise will occur. The key is detecting and responding quickly before attackers can establish persistence and scale their operations.

Microsoft's disclosure serves as a reminder that even the most trusted platforms can be weaponized when combined with sophisticated social engineering and technical evasion techniques. Security teams should review their SharePoint and OneDrive configurations, audit inbox rules regularly, and ensure that identity protection measures are comprehensive and up-to-date.

For organizations seeking to strengthen their defenses, Microsoft's Defender for Office 365 provides advanced threat protection capabilities, while their Identity Protection service offers risk-based conditional access and automated response to suspicious identity activities.

The battle against these evolving threats requires continuous vigilance, layered security controls, and a fundamental shift from perimeter-based thinking to identity-centric security models.