What happened
Threat actors leverage SharePoint services in sophisticated AiTM phishing campaign targeting energy sector organizations, according to Microsoft Defender researchers. The reported attack began with phishing emails sent from a compromised trusted vendor’s email address, containing Microsoft SharePoint URLs that required authentication and mimicked legitimate document-sharing workflows. Victims who clicked the SharePoint link were directed to fake login pages, enabling adversary-in-the-middle (AiTM) credential capture and session takeover. After initial access, attackers created inbox rules to delete incoming emails and mark messages as read to reduce visibility while monitoring compromised accounts. The campaign was described as evolving into broader business email compromise (BEC), including sending more than 600 phishing emails to contacts inside and outside victim organizations. The report also listed attacker infrastructure indicators, including IP addresses 178.130.46.8 and 193.36.221.10.
Who is affected
Energy sector organizations are directly affected in the reported targeting, particularly where Microsoft SharePoint and OneDrive workflows are trusted and heavily used. Indirect exposure extends to partners and suppliers when compromised vendor accounts are used to distribute authenticated-looking links into other organizations.
Why CISOs should care
AiTM campaigns can bypass password changes by stealing session tokens and can rapidly pivot into BEC by manipulating mailbox rules and trusted communication chains. Abuse of legitimate SharePoint/OneDrive URLs can reduce efficacy of traditional email security controls and increase cross-tenant supply-chain risk.
3 practical actions
- Hunt for inbox-rule tampering: Detect and investigate creation of delete/mark-as-read rules and unusual mailbox settings changes in Microsoft 365.
- Tighten controls on SharePoint link usage: Restrict anonymous sharing, review external sharing policies, and monitor authentication prompts originating from shared-file workflows.
- Block known attacker infrastructure: Search authentication and proxy logs for 178.130.46.8 and 193.36.221.10 and investigate associated sign-in activity.