Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/Threat Actors Leverage SharePoint Services in Sophisticated AiTM Phishing Campaign
CyberSecurity News

Threat Actors Leverage SharePoint Services in Sophisticated AiTM Phishing Campaign

Researchers at Microsoft have exposed a sophisticated adversary-in-the-middle (AiTM) phishing campaign targeting energy sector organizations through the abuse of SharePoint file-sharing services. The...

Sarah simpson
Sarah simpson
January 24, 2026 2 Min Read
36 0

Researchers at Microsoft have exposed a sophisticated adversary-in-the-middle (AiTM) phishing campaign targeting energy sector organizations through the abuse of SharePoint file-sharing services.

The multi-stage attack compromised multiple user accounts and evolved into widespread business email compromise (BEC) operations across several organisations.

Initial Compromise Through Trusted Vendor

The attack began with phishing emails sent from a compromised trusted vendor’s email address. Threat actors leveraged SharePoint URLs requiring authentication, mimicking legitimate document-sharing workflows to evade suspicion.

Attackers exploited the widespread trust in Microsoft SharePoint and OneDrive services, which are ubiquitous in enterprise environments and frequently bypass traditional email security filters.

AiTM phishing attack (source: Microsoft)
AiTM phishing attack (source: Microsoft)

After victims clicked malicious SharePoint links and entered credentials on fake login pages, attackers gained access to user sessions.

The threat actors immediately created inbox rules to delete incoming emails and mark messages as read, maintaining stealth while monitoring compromised accounts. This tactic prevented victims from discovering suspicious activity or receiving security alerts.

Following initial compromise, attackers launched a massive phishing campaign exceeding 600 emails to contacts within and outside the victim organization.

The campaign targeted recipients identified from recent email threads in compromised inboxes, significantly expanding the attack surface.

Attackers actively monitored victim mailboxes, deleting undelivered and out-of-office notifications to avoid detection.

When recipients questioned suspicious emails, threat actors responded from compromised accounts to falsely confirm legitimacy before deleting the conversation threads.

These techniques helped maintain persistence while keeping victims unaware of ongoing operations.

Microsoft Defender Experts identified additional compromised users based on landing IP and sign-in patterns, revealing the campaign’s extensive reach across multiple organizations in the energy sector.

Microsoft emphasizes that password resets alone are insufficient for AiTM attack remediation. Organizations must revoke active session cookies, remove attacker-created inbox rules, and reset any MFA settings modified by threat actors.

AiTM attack (source: Microsoft)
AiTM attack (source: Microsoft)

Attackers can maintain access through stolen session cookies even after password changes, as they may register alternative MFA methods using attacker-controlled phone numbers.

Microsoft recommends implementing conditional access policies that evaluate sign-in requests using identity signals like IP location, device status, and user group membership.

Continuous access evaluation, security defaults in Azure Active Directory, and advanced anti-phishing solutions provide additional layers of defense.

Organizations should deploy Microsoft Defender XDR, which detects suspicious activities including multiple account sign-in attempts and malicious inbox rule creation.

Indicators of Compromise:

  • 178.130.46.8 (Attacker infrastructure)
  • 193.36.221.10 (Attacker infrastructure)

Energy sector organizations should immediately hunt for these IP addresses in authentication logs and investigate any associated sign-in activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitphishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Hackers Exploiting telnetd Vulnerability for Root Access – Public PoC Released

Next Post

Microsoft Teams to Share your Location With Your Employer Soon Based on Wi-Fi Network

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us