Energy Sector Under Siege: AiTM Phishing Turns Insiders Into Threats

A sophisticated cyber campaign is rippling through the energy sector, blending high-tech interception techniques with classic deception to compromise organizations from the inside out. Microsoft Defender Researchers have uncovered a multi-stage operation that combines Adversary-in-the-Middle (AiTM) phishing with Business Email Compromise (BEC), turning trusted internal accounts into launchpads for further attacks.

The campaign is notable for its aggressive use of legitimate infrastructure to bypass defenses. The attackers didn’t just steal credentials; they “abused SharePoint file-sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness”.

The attack begins with an AiTM phishing site—a proxy page that sits between the user and the legitimate login portal. This allows the attacker to intercept not just passwords, but the critical session cookies that prove a user’s identity.

Once inside, the intruders move quickly to hide their tracks. According to the report, the attacker “created an Inbox rule with parameters to delete all incoming emails on the user’s mailbox and marked all the emails as read”. This digital silence allows them to operate without the victim noticing a flood of suspicious activity or warning notifications.

With the account secured and the owner effectively blinded, the attackers weaponize the compromised identity. Microsoft researchers observed a “large-scale phishing campaign involving more than 600 emails” sent from a single compromised account.

These weren’t random blasts; they were targeted strikes against the user’s own network. “The emails were sent to the compromised user’s contacts, both within and outside of the organization, as well as distribution lists” . By pivoting off recent email threads, the attackers leveraged established trust to trick colleagues into clicking malicious links.

Perhaps the most devious aspect of this campaign is the hands-on management of the fallout. The attackers didn’t just send emails; they managed the replies.

The report details how the attackers monitored the mailbox for confused colleagues questioning the phishing links. “The attacker read the emails from the recipients who raised questions regarding the authenticity of the phishing email and responded, possibly to falsely confirm that the email is legitimate”.

After soothing the suspicions of their victims, the attackers deleted both the inquiries and their own responses to scrub the evidence.

This campaign highlights a critical gap in standard incident response playbooks. Because the attackers steal session cookies, simply changing a password does not lock them out.

To truly evict these intruders, security teams in the energy sector must go further. Organizations are urged to “revoke active session cookies and remove attacker-created inbox rules used to evade detection” to ensure the adversary is truly gone.

Related Posts:

• AiTM Attacks Bypass MFA Despite Widespread Adoption
• MFA Bypass Alert: AitM Phishing Surges with Industrialized PhaaS Kits Targeting Microsoft 365 & Google Accounts!
• Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
• The OAuth Phishing Trap: Proofpoint Exposes AiTM Attacks That Bypass MFA to Hijack Cloud Accounts