MICROSOFT has warned of a multi-stage AitM phishing and business email compromise campaign targeting organisations in the energy sector. According to Microsoft Defender Security Research Team, the operation abused SharePoint file-sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness, before transitioning into a series of AitM attacks and follow-on BEC activity spanning multiple organisations.
The attackers are said to leverage trusted internal identities post‑compromise to conduct large‑scale intra‑organisational and external phishing, using a compromised email address and masquerading as SharePoint document‑sharing workflows to appear credible.
In one case cited by Microsoft, the attacker initiated a large-scale phishing campaign involving more than 600 emails sent to the compromised user’s contacts both inside and outside the organisation, with steps taken to delete undelivered messages and forged replies. The report emphasises that password resets alone cannot remediate the threat and calls for revocation of active session cookies and removal of attacker-created inbox rules.
It also urges organisations to deploy phishing‑resistant MFA, conditional access policies, and continuous access evaluation to mitigate such living-off-trusted-sites style attacks.