Executive Summary
In January 2026, a sophisticated adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) campaign targeted multiple organizations within the energy sector. Attackers exploited SharePoint's file-sharing services to distribute phishing payloads, leading to the compromise of numerous user accounts. The campaign involved creating malicious inbox rules to maintain persistence and evade detection, subsequently launching large-scale phishing attacks both internally and externally. This operation underscores the evolving complexity of AiTM campaigns and highlights the necessity for organizations to implement comprehensive remediation strategies beyond standard identity compromise responses. The incident serves as a critical reminder of the importance of robust security measures, including the revocation of active session cookies and the removal of unauthorized inbox rules, to effectively mitigate such threats.
Why This Matters Now
The resurgence of AiTM phishing and BEC campaigns, particularly targeting critical infrastructure sectors like energy, underscores the urgent need for organizations to enhance their cybersecurity defenses. The sophisticated tactics employed in this incident highlight the evolving nature of cyber threats and the importance of implementing comprehensive security measures to protect against such attacks.
Attack Path Analysis
The attack began with a phishing email sent from a compromised trusted vendor, leading recipients to a SharePoint URL that required authentication. Upon clicking the malicious link, users were redirected to an adversary-in-the-middle (AiTM) phishing site that intercepted credentials and session cookies, effectively bypassing multifactor authentication (MFA). The attackers then created inbox rules to delete incoming emails and mark them as read, maintaining persistence and evading detection. Using the compromised accounts, they launched a large-scale phishing campaign targeting the victims' contacts and distribution lists. The attackers monitored the victims' mailboxes, deleting undelivered and out-of-office emails, and responded to inquiries to falsely confirm the legitimacy of the phishing emails. This led to further account compromises as recipients clicked on malicious links, perpetuating the attack cycle.
Kill Chain Progression
Initial Compromise
Description
Attackers sent phishing emails from a compromised trusted vendor, leading recipients to a SharePoint URL requiring authentication.
MITRE ATT&CK® Techniques
Spearphishing Link
Web Session Cookie
Email Forwarding Rule
Web Protocols
Hidden Files and Directories
Local Accounts
Cloud Accounts
Domain Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security policies and operational procedures for security systems are documented, in use, and known to all affected parties.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Primary target of multi-stage AiTM phishing campaign abusing SharePoint, requiring enhanced egress security and zero trust segmentation for energy infrastructure protection.
Financial Services
High BEC vulnerability through SharePoint exploitation and session cookie theft, demanding stricter east-west traffic security and multicloud visibility for financial communications.
Government Administration
Critical exposure to adversary-in-the-middle attacks via trusted vendor compromise, necessitating encrypted traffic controls and threat detection for sensitive government operations.
Health Care / Life Sciences
Significant risk from inbox rule manipulation and credential harvesting, requiring HIPAA-compliant zero trust segmentation and enhanced anomaly detection capabilities.
Sources
- Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePointhttps://www.microsoft.com/en-us/security/blog/2026/01/21/multistage-aitm-phishing-bec-campaign-abusing-sharepoint/Verified
- Fraud Alert Issued on Business Email Compromise Scamhttps://www.cisa.gov/news-events/alerts/2015/06/24/fraud-alert-issued-business-email-compromise-scamVerified
- IC3 Warns of Increase in BEC/EAC Schemeshttps://www.cisa.gov/news-events/alerts/2017/05/04/ic3-warns-increase-beceac-schemesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit compromised credentials may be constrained by enforcing identity-aware access controls and segmenting access to critical resources.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be limited by enforcing strict segmentation policies that restrict access to sensitive systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may be constrained by monitoring and controlling east-west traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain command and control may be reduced by providing comprehensive visibility and control across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may be limited by enforcing strict egress policies and monitoring outbound traffic.
The overall impact of the attack may be reduced by limiting the scope of compromised accounts and preventing further unauthorized access.
Impact at a Glance
Affected Business Functions
- Email Communications
- Document Management
- Internal Collaboration
Estimated downtime: 3 days
Estimated loss: $67,000
Potential exposure of sensitive corporate communications and documents due to compromised email accounts and SharePoint access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement by enforcing least privilege access controls.
- • Enhance Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Deploy Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
- • Utilize Threat Detection & Anomaly Response capabilities to identify and mitigate suspicious behaviors in real-time.
- • Regularly review and update security policies to address evolving threats and ensure compliance with industry standards.
