Microsoft Warns of Sophisticated Multi-Stage AiTM Phishing and BEC Campaign Exploiting SharePoint to Breach Multiple Organizations

CyberDefender 7 mins0

The threat actors behind this campaign targeted multiple organizations primarily in the energy sector, starting with phishing emails that appeared to originate from legitimate, trusted partners. By abusing SharePoint’s file-sharing services and authentication workflows, the attackers successfully delivered phishing payloads and then escalated to follow-on BEC activity that spanned all affected tenants.

Rather than a simple credential theft, this campaign demonstrated operational depth and persistence, making it difficult to detect and remediate with standard identity compromise responses.

Attack Chain: How the Campaign Progressed

The threat unfolded through multiple coordinated stages, each carefully engineered to establish access and expand reach:

1. Initial Access via Trusted Vendor Compromise

  • Attackers sent phishing emails from an address belonging to what appeared to be a legitimate partner organization.
  • The email used SharePoint-related subject lines to mimic authentic document-sharing workflows that many enterprises depend on.
  • Embedded links led recipients to a SharePoint URL that triggered a phishing authentication flow.
  • Since the URL leveraged a trusted domain and login interface, traditional email security filters were often bypassed.

2. Malicious URL Interaction

  • Recipients who clicked the SharePoint link were redirected to a credential harvesting page.
  • The adversary-in-the-middle (AiTM) technique recorded not only usernames and passwords but also session cookies.
  • Because session cookies can grant ongoing authenticated access even after multifactor authentication (MFA), this step significantly increased the attack’s success rate.

3. Envelope Rule Creation for Persistence

  • After gaining access to the user’s mailbox, attackers created inbox rules configured to:
    • Mark all incoming mail as “read”
    • Automatically delete all new messages
  • These rules helped hide the attacker’s presence and maintain persistence without alerting the victim.

4. Internal and External Phishing Campaign

  • The compromised account was used as a launching point for a larger phishing operation:
    • Over 600 phishing emails were sent to internal and external contacts.
    • Target lists were dynamically pulled from recent email threads in the victim’s mailbox.
  • This leveraged the existing trust relationships in communication graphs to increase the attack’s credibility.

5. BEC Tactics and Continued Cover-Up

  • The attackers actively monitored the compromised mailbox for:
    • Undelivered mail
    • Automatic replies
    • Responses questioning legitimacy
  • They deleted responses and even replied themselves to maintain credibility while suppressing evidence of the attack.

Why This Attack Was Effective

This campaign showcased several advanced techniques that helped evade detection and persistence mechanisms:

Living-Off-Trusted-Sites (LOTS)

  • By weaponizing legitimate services like SharePoint and OneDrive, attackers exploited the trust users have in these platforms — and in many cases, the inherent trust placed in authentication flows from those domains.
  • This technique made phishing links less likely to be blocked by email filters.

Persistence Through Rule Manipulation

  • The stealthy inbox rule creation allowed the attackers to stay undetected while controlling email flow — a non-standard persistence mechanism that typical anti-phishing solutions may overlook.

Detection and Mitigation Strategies

Microsoft’s blog also includes a comprehensive set of recommendations designed to disrupt similar campaigns:

Detection Capabilities

Solutions like Microsoft Defender XDR and Defender for Cloud Apps can detect:

  • Suspicious session cookie reuse
  • Unauthorized inbox rules
  • Unusual sign-on patterns or geographic anomalies
  • Mass outbound phishing attempts

Remediation Steps

  • Revoke session cookies as part of incident response — password resets alone are insufficient.
  • Remove malicious inbox rules created by attackers.
  • Enforce conditional access policies that evaluate sign-in risk based on location, device, and user behavior.
  • Implement phishing-resistant MFA such as FIDO2 security keys and app-based or certificate-based authentication.
  • Advanced URL and email scanning to detect LOTS and redirect-based phishing flows.

Key Takeaways

  • This campaign emphasizes how trusted cloud platforms can be misused by sophisticated attackers.
  • Standard defenses like password reset and basic MFA are not enough; identity and session monitoring is crucial.
  • Holistic visibility — spanning authentication events, mailbox rules, and email activity — is necessary to detect and counter advanced phishing campaigns.

For defenders and security teams, the dual challenges of AiTM phishing and BEC highlight the importance of evolving phishing defense strategies beyond traditional email filtering and password policies — toward identity-centric, context-aware threat detection and response.

CyberDefender