Microsoft reports a renewed, multi-stage adversary-in-the-middle (AiTM) phishing campaign that escalated into business email compromise (BEC) and hit multiple organizations in the energy sector. The attackers abused SharePoint file-sharing links to look legitimate and trick victims into signing in, then leveraged the stolen session/credentials to take over accounts. After the first foothold (which Microsoft says likely started from a compromised “trusted” sender/vendor email), the attackers used the victim’s trusted identity to spread the operation outward—phishing both internal colleagues and external contacts and distribution lists—turning one compromised mailbox into a wide-reaching campaign.

A key detail is how the attackers stayed hidden and maintained control: they created malicious inbox rules to delete or mark emails as read, and monitored responses to keep victims unaware—classic BEC “stealth” behavior. Microsoft’s main defensive takeaway is that password resets alone aren’t enough for AiTM incidents, because attackers can steal and reuse session cookies; organizations need to revoke active sessions/cookies, remove attacker-created inbox rules, and review any MFA changes or persistence the attacker set up. The post also recommends pairing MFA with conditional access signals (device status, location, group membership, etc.) and using Defender’s automated response capabilities to disrupt phishing waves quickly.

Source: https://www.microsoft.com/en-us/security/blog/2026/01/21/multistage-aitm-phishing-bec-campaign-abusing-sharepoint/