Microsoft’s security researchers have raised the alarm about a highly sophisticated multi-stage cyberattack involving Adversary-in-the-Middle (AiTM) phishing and Business Email Compromise (BEC) that has been observed targeting multiple organisations, particularly in the energy sector. The attack chain is notable for abusing trusted cloud services like Microsoft SharePoint — a tactic that allows threat actors to hide malicious activity behind legitimate enterprise tools and evade traditional security defences.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
What Makes This Attack Different and Dangerous
According to Microsoft Defender Security Research Team, this campaign begins with a phishing email sent from an account belonging to a trusted organisation that was previously compromised. Because the email appears to come from a familiar source, it is less likely to be flagged by users or automated detection systems.
The malicious email typically includes a SharePoint file-sharing link that appears legitimate, mimicking the common workflow for document collaboration used in business environments. When a user clicks the link, they are redirected to a fake credential page designed to harvest their login credentials. Because SharePoint and OneDrive are widely used and trusted, recipients are more easily deceived into entering sensitive information.
This technique — often referred to as living-off-trusted-sites (LOTS) — takes advantage of user confidence in well-known cloud services to bypass spam filters and threat detection on email platforms.
How the Attack Escalates: Session Hijack and Persistence
Once the attackers successfully capture credentials through the fake login page, they obtain both the user’s password and session tokens. This gives them access to the compromised account without triggering immediate suspicion — because the session looks legitimate to backend systems.
The attackers then take steps to maintain persistence and evade detection within the compromised mailbox. They do this by creating hidden inbox rules that automatically delete incoming emails and mark others as read, effectively hiding their activity from the actual account owner. This allows the threat actors to monitor communications and use the compromised account as a launchpad for further malicious campaigns.
From inside the victim’s account, attackers can send out additional phishing emails — often hundreds or more — to contacts both within and outside the organisation. In one documented case, more than 600 phishing emails were sent from a single compromised inbox.
Business Email Compromise: The Financial Risk
After establishing control of the account and hiding evidence of the compromise, the attackers use the compromised identity to launch Business Email Compromise (BEC) operations. BEC attacks often involve fraudulent payment requests, fake invoices, or requests to update banking details, and they are one of the most costly forms of cyber fraud.
By leveraging a trusted internal identity and the appearance of legitimate corporate communication, attackers can manipulate other employees, clients or partners into complying with fraudulent financial instructions — posing a major risk for financial loss and reputational damage.
Why Password Resets Aren’t Enough
Microsoft noted that simply resetting a compromised user’s password is not sufficient to fully remediate this kind of attack. Because threat actors also steal the session cookies — which act like temporary login tokens — they can still access the account even after the password is changed.
Security experts emphasise that organisations must also:
- Revoke active session tokens
- Remove malicious inbox rules
- Reset and reinforce multi-factor authentication (MFA) settings
- Deploy phishing-resistant MFA solutions
- Implement conditional access policies
- Use advanced anti-phishing and email scanning tools
These steps help prevent attackers from retaining access and reduce the likelihood of similar future attacks.
Growing Trend: Trusted Services Abuse
This incident reflects a broader trend where cybercriminals abuse well-known cloud collaboration services like SharePoint, OneDrive, Google Drive and others to disguise malicious links and infrastructure. Because these platforms are widely trusted and heavily used in enterprises, they help attackers make their phishing messages look more legitimate and bypass standard email-centric defences.
Security analysts have warned that AI-assisted phishing tools, custom phishing kits, and techniques designed to defeat MFA and other security safeguards are becoming more common, raising the bar on both attack sophistication and the need for advanced defensive measures.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
