A sophisticated cyber campaign is rippling through the energy sector, blending AiTM phishing with Business Email Compromise to compromise organisations from the inside. According to Microsoft Defender Researchers, the operation combines Adversary-in-the-Middle phishing with trusted internal accounts to launch further attacks.
The attackers didn’t just steal credentials; they abused SharePoint file-sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness. The AiTM phishing site sits between the user and the legitimate login portal, allowing interception of passwords and critical session cookies that prove identity.
Microsoft researchers observed a large-scale phishing campaign involving more than 600 emails sent from a single compromised account, targeted at the user’s network and contacts both inside and outside the organisation. To truly evict these intruders, security teams must revoke active session cookies and remove attacker-created inbox rules used to evade detection.