Microsoft warns of rising AitM phishing attacks on energy sector

The energy sector should be on the alert for a new multi‑stage adversary‑in‑the‑middle (AitM) campaign, Microsoft has warned.

Cloud collaboration platforms, particularly Microsoft SharePoint and OneDrive, are popular with threat actors thanks to their widespread presence in enterprise environments.

They offer built-in legitimacy, flexible file‑hosting capabilities, and authentication flows that attackers can take over and use to hide their presence.

This latest phishing and business email compromise (BEC) campaign, Microsoft said, abused SharePoint file sharing services to deliver phishing payloads. Emails with the subject line “NEW PROPOSAL – NDA” appeared legitimate, coming from a previously-compromised email address belonging to a trusted organization.

A number of user accounts have already been compromised, according to the Microsoft Defender Research team.

Victims clicking on a link included in the email were redirected to a fake login page, which collected their credentials. The attackers also altered inbox rules to mark all emails as "read", making their activity harder to detect.

They were then able to make use of trusted internal identities from the target to conduct large‑scale phishing attacks, both within the organization and externally, significantly expanding the scope of the campaign.

In one example, this phishing campaign involved more than 600 emails with a different phishing URL, which were sent to the compromised user’s contacts within and outside the organization, as well as distribution lists.

The attackers then made further efforts to avoid suspicion.

"The attacker read the emails from the recipients who raised questions regarding the authenticity of the phishing email and responded, possibly to falsely confirm that the email is legitimate," said the Microsoft team.

"The emails and responses were then deleted from the mailbox. These techniques are common in any BEC attacks and are intended to keep the victim unaware of the attacker’s operations, thus helping in persistence."

Tackling adversary-in-the-middle attacks

Microsoft highlighted the operational complexity of AiTM campaigns, saying that password resets alone are not enough to fix the problem.

Impacted organizations must, said the firm, make sure that they've revoked active session cookies, reversed the changes to MFA settings made by the attacker on the compromised user’s accounts and removed the altered inbox rules.

"While AiTM phishing attempts to circumvent MFA, implementation of MFA still remains an essential pillar in identity security and highly effective at stopping a wide variety of threats.

MFA is the reason that threat actors developed the AiTM session cookie theft technique in the first place," the team said.

The researchers also advised organizations to work with their identity provider to ensure security controls like MFA are in place.

They added: "Organizations should also consider complementing MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device status, among others."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.