ENERGY sector targets have been identified in a multi-stage phishing and BEC campaign that abused SharePoint links to steal credentials, according to Microsoft. The campaign began with a compromised trusted sender and used SharePoint document-sharing subjects to appear legitimate, progressing through malicious link clicks to AiTM credential theft, and then inbox-rule creation to hide activity.
In Stage 5, attackers sent over 600 phishing emails to internal and external contacts, and Stage 6 saw BEC activity as attackers monitored replies and removed warning emails to sustain the deception. Microsoft Defender XDR detected the AiTM phishing by spotting suspicious sign-ins and malicious inbox rules on compromised mailboxes, and containment involved disrupting AiTM activity, auto-purging phishing emails, and helping affected identities recover.
The guidance emphasises that password resets are insufficient on their own; effective remediation requires revoking session cookies, undoing attacker-made MFA changes, and removing malicious inbox rules, with MFA still playing a crucial role. January 26, 2026.