Full Report
Microsoft has warned of a multi‑stage adversary‑in‑the‑middle (AitM) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector. "The campaign abused SharePoint file‑sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness," the Microsoft Defender Security Research Team said.
Analysis Summary
# Threat Actor: Unknown Actor (Associated with Multi-Stage AitM/BEC Campaign)
## Attribution & Identity
Attribution is currently **unknown**. The Microsoft Defender Security Research Team identified the campaign activity but did not attribute it to a specific known cybercrime group.
## Activity Summary
This is a sophisticated, multi-stage campaign blending Adversary-in-the-Middle (AitM) phishing and Business Email Compromise (BEC) tactics. The campaign initiated by compromising legitimate, trusted organizations to leverage their email accounts for initial distribution. The overall activity described involves subsequent AitM attacks and follow-on BEC activity spanning multiple organizations. A specific instance involved a large-scale phishing campaign where over 600 emails were sent from a compromised account to internal and external contacts.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Sending spear-phishing emails disguised as SharePoint document-sharing notifications, mimicking legitimate organizational workflows to gain recipient trust and deliver phishing URLs.
- **Living-Off-Trusted-Sites (LOTS):** Weaponizing legitimate, high-trust services like SharePoint and OneDrive for payload delivery, specifically designed to subvert email-centric detection mechanisms.
- **Credential Harvesting:** Redirecting users to fake credential prompts to steal login credentials and corresponding **session cookies**.
- **Persistence/Evasion:** Using stolen session cookies to execute post-exploitation activities, specifically creating **inbox rules** to automatically mark all incoming emails as read, delete incoming correspondence, and delete outgoing/out-of-office replies. This maintains attacker presence and evades user awareness.
- **Post-Compromise Activity:** Leveraging compromised internal identities to launch further large-scale intra-organizational and external phishing campaigns.
- **Defense Evasion:** Deleting evidence of suspicious activity (e.g., deleted undelivered/out-of-office emails) and providing assurances of email authenticity if recipients raised concerns.
- **MFA/Identity Manipulation (Implied/Observed):** Note: The article mentions Microsoft worked with customers to revoke MFA changes made by the attacker, indicating identity manipulation was part of the attack lifecycle.
*Note: No specific MITRE ATT&CK IDs were provided in the context.*
## Targeting
- **Sectors:** Energy Sector (multiple organizations targeted).
- **Geography:** Not explicitly mentioned, but the targeting of global organizations via cloud services suggests a broad geographic scope.
- **Victims:** Multiple organizations within the energy sector.
## Tools & Infrastructure
- **Malware Families Used:** Not specified. The primary mechanism relied on credential theft and session manipulation, not traditional malware deployment.
- **Infrastructure:** Abused **SharePoint file-sharing services** for payload delivery. Used compromised, legitimate organizational email addresses for initial distribution.
## Implications
This attack highlights a concerning evolution in BEC and phishing, demonstrating the high operational complexity achieved by integrating session cookie theft (AitM) with stealth persistence mechanisms (inbox rules). Traditional remediation like simple password resets is insufficient because session cookies remain valid. The reliance on established, trusted cloud platforms (LOTS) significantly increases the chance of bypassing perimeter and email gateways.
## Mitigations
- Revoke active session cookies immediately upon suspected compromise.
- Identify and delete attacker-created inbox rules on compromised accounts.
- Review and revoke any Multi-Factor Authentication (MFA) enrollment/setting changes made by the attacker on accounts.
- Implement security controls such as Phishing-Resistant MFA.
- Enable **Conditional Access Policies**.
- Implement **Continuous Access Evaluation (CAE)**.
- Utilize anti-phishing solutions capable of monitoring and scanning both incoming emails and visited websites.