Energy Firms Targeted in SharePoint AiTM Session Hijacking

Threat actors are abusing Microsoft SharePoint links to run an adversary-in-the-middle (AiTM) phishing campaign against energy firms, compromising accounts and enabling follow-on BEC attacks. 

The operation uses trusted-looking SharePoint URLs and compromised vendor email accounts to blend into normal collaboration patterns. 

“This attack demonstrates the operational complexity of AiTM campaigns and the need for remediation beyond standard identity compromise responses,” said Microsoft researchers.

Inside the SharePoint Phishing Flow

The intrusion chain started with phishing emails sent from a compromised trusted vendor account.

Instead of using obviously suspicious links or attachments, the attackers embedded SharePoint URLs that required authentication, closely mirroring normal document-sharing workflows that employees see every day. 

This approach helped the campaign blend into routine collaboration activity and reduced the chances that traditional email security controls would flag it as malicious.

After a victim clicked the SharePoint link, they were redirected to a fraudulent login page built for adversary-in-the-middle (AiTM) interception. 

Unlike basic credential phishing, AiTM attacks are designed to capture not only usernames and passwords, but also live session data (such as authentication tokens or session cookies). 

That’s what makes these campaigns so effective: even with MFA enabled, attackers can still gain access by hijacking an authenticated session rather than trying to defeat MFA directly.

The researchers also observed the threat actors moving quickly after gaining access. 

They immediately created malicious inbox rules that deleted incoming messages and marked emails as read, suppressing security notifications and reducing the likelihood that victims would notice suspicious activity. 

With those controls in place, attackers could quietly monitor email threads, track ongoing conversations, and prepare the next stage of the operation while staying out of sight.

The attackers then launched a high-volume phishing wave of more than 600 emails to contacts both inside and outside the victim organization, selecting targets based on recent email threads found in compromised mailboxes. 

By hijacking active business conversations, they increased realism and improved engagement rates. 

When recipients questioned suspicious messages, the attackers replied directly from compromised accounts to reassure them, then deleted the email thread to erase evidence and delay detection. 

Microsoft’s researchers later identified additional compromised users by analyzing landing infrastructure and abnormal sign-in patterns, confirming the campaign’s reach across multiple organizations in the energy sector.

How to Mitigate AiTM Phishing

AiTM phishing campaigns require a different response than traditional credential theft because attackers can remain logged in using stolen session tokens, even after a password reset. 

That’s why effective remediation should focus on session containment, mailbox cleanup, and identity hardening — not just changing credentials.

• Revoke active sessions and cookies for impacted users, then reset passwords and review MFA methods for unauthorized changes.
• Remove attacker-created inbox rules, forwarding settings, and mail transport changes that hide activity or enable persistence.
• Enforce phishing-resistant MFA (FIDO2/WebAuthn) and block legacy authentication protocols to reduce AiTM bypass paths.
• Implement conditional access policies using identity signals (device compliance, location, risk level, and user groups) and enable continuous access evaluation.
• Restrict SharePoint and OneDrive external sharing by limiting anonymous links, requiring expiration, and applying domain allowlists where possible.
• Monitor and alert on suspicious sign-ins, inbox rule creation, and abnormal outbound email volume using Defender XDR and centralized logging.
• Hunt for known IOCs and validate backups while regularly testing incident response plans, including account containment and recovery workflows.

Collectively, these steps limit blast radius and help strengthen cyber resilience.

What Energy Firms Should Take Away

For energy sector organizations, this campaign shows how attackers can misuse familiar cloud collaboration tools like SharePoint to gain access in ways that look routine and legitimate. 

A practical, resilience-focused response is to reduce blast radius with strong session controls, phishing-resistant authentication, and conditional access policies, while improving visibility into mailbox changes and unusual outbound email activity. 

This is where zero-trust principles help by continuously verifying access and limiting blast radius.