Cybercriminals Exploit SharePoint in Advanced AiTM Phishing Attacks
In a recent revelation, Microsoft Defender researchers have uncovered a sophisticated adversary-in-the-middle (AiTM) phishing campaign that targets organizations within the energy sector. This campaign exploits Microsoft SharePoint’s file-sharing capabilities to deceive users and gain unauthorized access to sensitive information.
Initial Breach via Trusted Channels
The attack initiates with phishing emails dispatched from the compromised email accounts of trusted vendors. These emails contain SharePoint URLs that require authentication, closely resembling legitimate document-sharing requests. By leveraging the inherent trust in Microsoft SharePoint and OneDrive services—commonly used in enterprise environments—attackers effectively bypass traditional email security filters.
Execution of the Attack
Upon clicking the malicious SharePoint links, victims are directed to counterfeit login pages where they unknowingly input their credentials. This action grants attackers access to user sessions. To maintain stealth and prolong access, the threat actors implement inbox rules that automatically delete incoming emails and mark messages as read. This strategy prevents victims from noticing suspicious activities or receiving security alerts.
Expansion of the Attack
After the initial compromise, the attackers escalate their efforts by launching an extensive phishing campaign. They send over 600 emails to contacts both within and outside the victim organization. By identifying recipients from recent email threads in compromised inboxes, the attackers significantly broaden their reach. They actively monitor victim mailboxes, deleting undelivered and out-of-office notifications to avoid detection. If recipients question the legitimacy of the emails, the attackers respond from the compromised accounts to falsely confirm authenticity before deleting the conversation threads. These tactics help maintain persistence while keeping victims unaware of the ongoing operations.
Detection and Mitigation
Microsoft Defender Experts have identified additional compromised users based on landing IP and sign-in patterns, revealing the campaign’s extensive reach across multiple organizations in the energy sector. Microsoft emphasizes that password resets alone are insufficient for AiTM attack remediation. Organizations must revoke active session cookies, remove attacker-created inbox rules, and reset any multi-factor authentication (MFA) settings modified by threat actors. Attackers can maintain access through stolen session cookies even after password changes, as they may register alternative MFA methods using attacker-controlled phone numbers.
Recommendations for Organizations
To defend against such sophisticated attacks, Microsoft recommends implementing conditional access policies that evaluate sign-in requests using identity signals like IP location, device status, and user group membership. Continuous access evaluation, security defaults in Azure Active Directory, and advanced anti-phishing solutions provide additional layers of defense. Organizations should deploy Microsoft Defender XDR, which detects suspicious activities including multiple account sign-in attempts and malicious inbox rule creation.
Indicators of Compromise
Organizations should be vigilant for the following IP addresses associated with attacker infrastructure:
– 178.130.46.8
– 193.36.221.10
Energy sector organizations are advised to immediately search for these IP addresses in authentication logs and investigate any associated sign-in activity.
