Executive Summary
In January 2026, Microsoft identified a sophisticated multi-stage business email compromise (BEC) attack targeting several prominent energy sector organizations. The attackers leveraged adversary-in-the-middle (AitM) phishing tactics, abusing SharePoint file-sharing services to distribute malicious payloads and gaining user trust with legitimate-looking links. Once initial access was achieved, the threat actors established persistent access by creating malicious inbox rules, allowing them to hijack email conversations, evade user detection, and execute fraudulent transactions. The campaign underscores the evolving nature of BEC schemes and their business impact, with potential exposure of sensitive data and financial losses.
This incident exemplifies a significant escalation in the complexity and persistence of phishing-driven BEC campaigns affecting critical infrastructure. As regulatory scrutiny increases and attackers continually evolve tactics, this case highlights the urgent need for modern defenses against advanced social engineering and privileged access abuse.
Why This Matters Now
Energy companies are increasingly targeted for their operational importance, and the combination of AitM phishing with BEC amplifies risks to business continuity and reputation. With attackers leveraging trusted cloud services and automated persistence methods, traditional defenses are being outpaced, making immediate action and advanced controls essential for sector resilience.
Attack Path Analysis
The attack began when adversaries launched adversary-in-the-middle (AitM) phishing campaigns, leveraging malicious SharePoint file-sharing links to compromise user credentials. Following compromise, attackers created inbox rules to maintain persistence and escalate their control within compromised accounts. The threat actors sought to explore internal cloud environments, pivoting laterally toward sensitive resources by leveraging stolen permissions or exploiting internal connectivity. Malicious actors maintained command and control through continuous access and possibly automated connections, potentially facilitating the management of compromised accounts and further operations. Data exfiltration opportunities were then exploited, possibly via outbound email forwarding or document exfiltration, sending sensitive information to external destinations. The final impact included tangible business compromise, such as fraudulent fund transfers or disruption of business processes typical in BEC scenarios.
Kill Chain Progression
Initial Compromise
Description
Attackers delivered SharePoint-based phishing payloads in a multi-stage AitM campaign to steal cloud user credentials.
Related CVEs
CVE-2025-53770
CVSS 9.8A critical remote code execution vulnerability in Microsoft SharePoint Server allows unauthenticated attackers to execute arbitrary code via crafted HTTP POST requests.
Affected Products:
Microsoft SharePoint Server Subscription Edition – < 16.0.18526.20508
Microsoft SharePoint Server 2019 – < 16.0.10417.20037
Microsoft SharePoint Server 2016 – All versions
Exploit Status:
exploited in the wildCVE-2025-53771
CVSS 7.1An improper authentication vulnerability in Microsoft SharePoint allows unauthorized attackers to perform spoofing over a network.
Affected Products:
Microsoft SharePoint Server Subscription Edition – < 16.0.18526.20508
Microsoft SharePoint Server 2019 – < 16.0.10417.20037
Microsoft SharePoint Server 2016 – All versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques listed support filtering and enrichment for energy-sector BEC and AiTM phishing attacks, with further expansion possible upon deeper investigation.
Spearphishing via Service
Adversary-in-the-Middle
Valid Accounts: Cloud Accounts
Email Collection
Remote Services: SMB/Windows Admin Shares
Account Manipulation: Email Forwarding Rule
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for User Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9(2)
CISA ZTMM 2.0 (Zero Trust Maturity Model) – Enforce Strong Identity Controls and Continuous Monitoring
Control ID: Identity Pillar: Identities, Authentication, and Access Control
NIS2 Directive – Technical and Organizational Measures for Security of Networks and Information Systems
Control ID: Art. 21(2)(a)-(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Primary target of multi-stage AitM phishing campaign exploiting SharePoint services, requiring enhanced egress security and encrypted traffic protection against persistent BEC attacks.
Utilities
Critical infrastructure vulnerable to sophisticated phishing campaigns targeting energy sector, necessitating zero trust segmentation and anomaly detection for east-west traffic protection.
Financial Services
High-value BEC target requiring multicloud visibility and egress policy enforcement to prevent data exfiltration through compromised SharePoint and email inbox rule manipulation.
Government Administration
Strategic target for nation-state actors using AitM techniques, demanding cloud firewall protection and threat detection capabilities to secure hybrid connectivity infrastructure.
Sources
- Microsoft Flags Multi-Stage AitM Phishing and BEC Attacks Targeting Energy Firmshttps://thehackernews.com/2026/01/microsoft-flags-multi-stage-aitm.htmlVerified
- Customer guidance for SharePoint vulnerability CVE-2025-53770https://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770Verified
- CVE-2025-53770 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-53770Verified
- Microsoft SharePoint zero-day exploited in RCE attacks, no patch availablehttps://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, and egress policy enforcement would have sharply limited attacker persistence, lateral traversal, and data exfiltration in this campaign. Capabilities such as microsegmentation, outbound traffic inspection, and encrypted data-in-transit controls directly address the kill chain stages exploited by BEC actors.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline policy enforcement could have reduced phishing exposure vectors.
Control: Zero Trust Segmentation
Mitigation: Identity-based policies could have limited account permissions and segmented mailbox access.
Control: East-West Traffic Security
Mitigation: Lateral movement would be detected or blocked between segmented workloads and regions.
Control: Multicloud Visibility & Control
Mitigation: Unusual session patterns and anomalous command traffic would trigger alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound exfiltration attempts would be blocked or alerted based on policy.
Anomalous transaction activity or abuse would be rapidly detected for containment.
Impact at a Glance
Affected Business Functions
- Document Management
- Collaboration Platforms
- Internal Communications
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive internal documents and communications due to unauthorized access to SharePoint servers.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege and constrain account or workload access within the cloud.
- • Deploy Egress Security & Policy Enforcement to block unauthorized outbound data flows and enforce DLP controls at the network edge.
- • Increase East-West Traffic Security for robust detection and blocking of lateral movement attempts between cloud or hybrid resources.
- • Leverage Multicloud Visibility & Control to promptly flag anomalous mailbox activity, persistent rules, or suspicious automation indicative of BEC tactics.
- • Enable continuous Threat Detection & Anomaly Response across all cloud identity and network layers to accelerate detection, response, and containment.
