Full Report
Microsoft Defender Researchers have uncovered a multi‑stage adversary‑in‑the‑middle (AiTM) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts. The campaign abused SharePoint file‑sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness. The…
Analysis Summary
# Incident Report: AiTM Phishing & BEC Chain Targeting Energy Sector
## Executive Summary
Microsoft Defender researchers uncovered a sophisticated, multi-stage Adversary-in-the-Middle (AiTM) phishing campaign that transitioned into Business Email Compromise (BEC) activity, specifically targeting organizations in the energy sector. Attackers leveraged SharePoint abuse for initial payload delivery, successfully compromised user accounts, and used inbox rule creation for persistence. Remediation required session revocation and rule removal, as standard password resets proved insufficient.
## Incident Details
- Discovery Date: Sometime leading up to or on January 21, 2026 (when the public disclosure occurred).
- Incident Date: Ongoing campaign involving multiple stages and organizations.
- Affected Organization: Multiple organizations in the energy sector.
- Sector: Energy.
- Geography: Not specified, but implied to be geographically widespread given the targeting of multiple organizations.
## Timeline of Events
### Initial Access
- Date/Time: Not specified, but occurred prior to persistence/lateral movement.
- Vector: AiTM Phishing initiated via abused SharePoint file-sharing services.
- Details: Attackers delivered phishing payloads designed to facilitate AiTM attacks, bypassing standard multi-factor authentication mechanisms.
### Lateral Movement
- Date/Time: Following initial access and user account compromise.
- Vector: Use of compromised trusted internal identities.
- Details: Attackers conducted large-scale intra-organizational phishing (within the compromised target) and external phishing campaigns to broaden the attack scope.
### Data Exfiltration/Impact
- Date/Time: Post-compromise.
- Vector: BEC activity following initial credential theft.
- Details: The successful compromise of user accounts was leveraged to conduct financial fraud or further intelligence gathering typical of BEC activity.
### Detection & Response
- Date/Time: When Defender detections surfaced the activity.
- Vector: Microsoft Defender detections.
- Details: Detections surfaced the activity to all affected organizations, prompting incident response efforts.
## Attack Methodology
- Initial Access: Adversary-in-the-Middle (AiTM) phishing attack chain, using SharePoint for payload delivery.
- Persistence: Creation of inbox rules by the attacker to maintain access and evade user awareness.
- Privilege Escalation: Not explicitly detailed, though leveraged trusted internal identities to expand reach.
- Defense Evasion: Use of inbox rules to hide malicious forwarding or activity from the legitimate user.
- Credential Access: AiTM techniques used to capture session tokens or credentials during the MFA exchange.
- Discovery: Implicit through maintaining presence and leveraging internal identities.
- Lateral Movement: Conducting large-scale intra-organizational and external phishing using *trusted internal identities*.
- Collection: Inferred, related to identifying targets for BEC.
- Exfiltration: Inferred as the goal of the subsequent BEC activity.
- Impact: Compromise of various user accounts leading to follow-on BEC activity.
## Impact Assessment
- Financial: Not specified, but implied significant due to high-value BEC targeting in the energy sector.
- Data Breach: Compromise of various user accounts (session data, potentially email contents).
- Operational: Disruption via responding to a complex, multi-stage incident requiring specialized remediation steps.
- Reputational: Potential damage due to business email compromise and security posture questions within the critical energy sector.
## Indicators of Compromise
- Network indicators: Not publicly listed (defanged).
- File indicators: Not publicly listed (defanged).
- Behavioral indicators: Creation of unusual inbox rules; use of compromised accounts for large-scale internal/external phishing/BEC.
## Response Actions
- Containment measures: Revocation of active session cookies for compromised accounts was explicitly required.
- Eradication steps: Removal of attacker-created inbox rules.
- Recovery actions: Standard password resets were deemed insufficient and required follow-up remediation steps specific to session validation.
## Lessons Learned
- AiTM attacks are operationally complex and require remediation beyond standard identity compromise protocols (like password resets).
- Reliance on conventional identity protection alone is insufficient when session tokens are successfully stolen.
- Adversaries are effectively weaponizing legitimate cloud file-sharing services (SharePoint) for initial access.
## Recommendations
- Implement robust session validation mechanisms or Conditional Access policies that force re-authentication or session revocation following suspicious activity alerts.
- Proactively monitor cloud mailboxes for newly created or suspicious inbox rules, especially those attempting to route or forward messages externally/internally without user knowledge.
- Enhance security awareness training specifically focused on recognizing signs of AiTM phishing (e.g., unexpected prompts, continuous MFA requests).