Microsoft Flags Multi-Stage AitM Phishing and BEC Attacks Targeting Energy Firms

Microsoft's threat hunters have uncovered a sophisticated multi-stage attack campaign targeting energy organizations worldwide. This isn't your grandma's phishing email — we're talking Adversary-in-the-Middle (AitM) techniques combined with Business Email Compromise (BEC) tactics that are straight-up surgical.

The attack chain starts with classic social engineering but quickly escalates to SharePoint abuse, inbox rule manipulation, and session cookie theft. Once they're in, they're moving laterally like they own the place.

What makes this campaign particularly nasty is how it abuses legitimate Microsoft services. Attackers are using SharePoint to host malicious documents and create backdoors, then setting up inbox rules to automatically delete or redirect security alerts. It's like they're using your own tools against you.

The energy sector focus is strategic — these orgs often have complex supply chains and high-value transactions, making them prime targets for financial fraud. Microsoft's tracking multiple threat actors behind this, with some connections to known BEC groups that have been active for years.

Key takeaways for security teams: 1) Monitor SharePoint activity like a hawk, 2) Review inbox rules regularly (especially new ones), 3) Implement session management controls, and 4) Assume breach — these attackers are patient and persistent.

Microsoft's sharing IOCs and detection rules through their security portals. If you're in energy or critical infrastructure, this is your wake-up call to check your defenses. These aren't script kiddies — they're pros with a playbook, and they're coming for your crown jewels.