iSec News

Multi-stage AitM phishing and BEC campaign abused SharePoint to target energy organisations

, , ,

by

Cristian Luțic

A technical analysis by Microsoft said it uncovered a multi-stage adversary-in-the-middle phishing and business email compromise campaign targeting multiple organizations in the energy sector on Jan 21, 2026 and that one case involved more than 600 phishing messages.

KEY FACTS

  • Incident Multi-stage AitM phishing and BEC campaign
  • Vector Compromised trusted email and SharePoint links
  • Persistence Attacker-created inbox rules that delete and mark messages read
  • Scale More than 600 phishing emails observed in one case

The campaign began with messages sent from previously compromised legitimate addresses that were presented as SharePoint document-sharing workflows to increase credibility. Recipients who clicked a supplied URL were redirected to a fake credential prompt intended to harvest credentials and session cookies.

With stolen credentials and session cookies attackers created inbox rules to delete incoming mail and mark messages read to hide their activity. Compromised inboxes were then used to send further phishing messages that carried AitM credential-harvesting URLs to internal and external contacts.

The attackers also deleted undelivered and out-of-office replies and removed correspondence from the mailbox to reduce discovery. In one observed instance more than 600 messages were sent from a single compromised account to widen the campaigns reach.

The company worked with customers to revoke multi-factor authentication changes and delete suspicious inbox rules. The incident shows that password resets alone do not fully remediate this threat because active session cookies and attacker-created rules can preserve access and persistence.

The disclosure coincides with Oktas finding of custom phishing kits tailored for voice phishing that let an attacker on the phone control a targets browser authentication flow in real time.

WHY IT MATTERS

The techniques let attackers maintain access and evade user awareness while using trusted services to avoid detection. Organisations should adopt phishing-resistant MFA and session controls and remove malicious inbox rules to limit exposure.

Latest NEWS