Microsoft Warns of Multi-Stage AitM Phishing and BEC Attacks Targeting Energy Firms

Multi-Stage AitM Phishing and BEC Attacks Targeting Energy Firms

Microsoft has identified a complex, multi-stage attack campaign leveraging adversary-in-the-middle (AitM) phishing and business email compromise (BEC) techniques targeting organizations within the energy sector. The campaign utilizes SharePoint for initial compromise, establishing persistence through inbox rules and stealing session cookies.

Why This Matters

Current security models often rely on perimeter defenses and single-factor authentication, proving insufficient against sophisticated AitM attacks that exploit trusted services. The cost of a successful BEC attack can be substantial, with average losses exceeding $126,000 per incident in 2023 according to the FBI, and the energy sector is a particularly attractive target due to its critical infrastructure status.

Key Insights

• LOTS (Living Off The Land): Attackers are increasingly exploiting legitimate services like SharePoint and OneDrive to bypass traditional security measures.
• Session Cookie Theft: Stolen session cookies allow attackers to maintain access even after password resets, requiring revocation of active sessions.
• Phishing-as-a-Service: Custom phishing kits are readily available, lowering the barrier to entry for attackers and enabling targeted campaigns (Okta, 2026).

Practical Applications

• Use Case: Energy companies utilizing Microsoft 365 are vulnerable to this type of attack due to their reliance on SharePoint and email communication.
• Pitfall: Relying solely on password resets without revoking active sessions and removing attacker-created inbox rules leaves organizations exposed to continued compromise.

References:

• https://thehackernews.com/2026/01/microsoft-flags-multi-stage-aitm.html