Microsoft has issued an alert regarding a sophisticated multi-stage adversary-in-the-middle (AitM) phishing campaign combined with business email compromise (BEC) activity, primarily targeting organizations operating in the energy sector.
According to the Microsoft Defender Security Research Team, the attackers exploited SharePoint file-sharing services to distribute phishing content while creating inbox rules to remain persistent and avoid user detection. The campaign later evolved into coordinated AitM phishing and BEC operations spanning multiple organizations.
Abuse of Trusted Identities and Services
Following the initial compromise, the attackers leveraged trusted internal user identities to conduct widespread phishing campaigns both inside and outside affected organizations. By impersonating legitimate employees, the threat actors significantly expanded the reach of their operations.
The campaign typically began with phishing emails sent from already compromised accounts belonging to trusted organizations. These messages impersonated SharePoint document-sharing notifications, adding legitimacy and increasing the likelihood that recipients would click embedded phishing links.
Because platforms like SharePoint and OneDrive are commonly used in enterprise environments, and the emails originated from legitimate accounts, the messages often bypassed traditional email security defenses. This technique is known as living-off-trusted-sites (LOTS), where widely trusted services are weaponized to evade detection.
Credential Theft and Inbox Manipulation
Victims who clicked on the phishing links were redirected to counterfeit login pages designed to harvest credentials and session cookies. Once attackers gained access, they created inbox rules that deleted incoming emails and marked messages as read, effectively concealing malicious activity from the account owner.
The compromised mailbox was then used to distribute additional phishing emails containing AitM-based credential harvesting links. In one documented incident, more than 600 phishing emails were sent from a single compromised account to contacts both within and outside the organization.
Attackers were also observed deleting undelivered messages and out-of-office replies, while reassuring recipients who questioned the email’s legitimacy. All correspondence was removed afterward to erase traces of the operation.
Microsoft noted that these techniques are commonly associated with BEC attacks and are intended to maintain persistence while keeping victims unaware.
Mitigation Challenges and Defensive Measures
Microsoft emphasized the operational complexity of AitM attacks, warning that password resets alone are insufficient. Organizations must revoke active session cookies and remove malicious inbox rules created by attackers.
The company reported working closely with affected customers to reverse unauthorized multi-factor authentication (MFA) changes and eliminate suspicious inbox rules. The total number of impacted organizations remains unknown, and the campaign has not yet been attributed to a specific threat group.
Organizations are advised to coordinate with their identity providers to deploy phishing-resistant MFA, enable conditional access policies, implement continuous access evaluation, and use advanced anti-phishing solutions capable of monitoring emails and visited websites.
Broader Phishing Trends and Emerging Threats
The campaign reflects a growing trend where attackers abuse trusted platforms such as Google Drive, Amazon Web Services (AWS), and Atlassian Confluence to host phishing content or redirect users to credential harvesting pages. This approach reduces the need for custom attacker infrastructure and makes malicious activity appear legitimate.
In a related disclosure, identity provider Okta reported detecting custom phishing kits used in voice phishing, or vishing, campaigns targeting Google, Microsoft, Okta, and cryptocurrency platforms. Attackers impersonate technical support staff and use spoofed phone numbers to convince victims to visit malicious URLs.
These phishing kits relay stolen credentials to attackers in real time through Telegram channels, enabling immediate account compromise. The tools allow attackers to control authentication flows in victims’ browsers, guiding them to approve MFA prompts or enter one-time passwords.
Recent phishing campaigns have also exploited Basic Authentication URLs by disguising malicious domains behind trusted-looking prefixes. Additionally, homoglyph attacks using visual tricks such as replacing the letter “m” with “rn” have been used to mimic well-known brands and deceive users.
Security experts warn that such subtle visual manipulations are increasingly effective, especially when used in brand names, subdomains, or commonly trusted service identifiers.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
