The very digital collaboration tools designed to foster productivity and seamless information sharing are increasingly being weaponized by sophisticated threat actors, turning trusted platforms into Trojan horses for widespread cyberattacks. A recent, highly-coordinated campaign has brought this alarming trend into sharp focus, demonstrating how threat actors are abusing Microsoft SharePoint’s file-sharing capabilities to execute complex adversary-in-the-middle (AiTM) phishing attacks. This multi-stage operation, which targeted organizations within the critical energy sector, successfully compromised numerous user accounts and rapidly escalated into a significant business email compromise (BEC) incident, highlighting a critical vulnerability in modern enterprise security postures that rely heavily on the perceived safety of well-known cloud services. The attack serves as a stark reminder that even the most ubiquitous and trusted applications can become conduits for malicious activity, forcing a reevaluation of security protocols.
1. The Anatomy of an Advanced Social Engineering Attack
The initial phase of the attack hinged on a masterful exploitation of professional trust, a cornerstone of corporate communication that cybercriminals are becoming adept at manipulating. The threat actors initiated their campaign by sending meticulously crafted phishing emails that originated from the email address of a previously compromised and trusted vendor. This tactic immediately lowered the guard of the intended victims, as the communication appeared to be part of a legitimate business workflow. The emails contained SharePoint URLs, which are commonly used for document sharing and collaboration in professional environments. By leveraging these familiar links, the attackers ensured their malicious payloads bypassed many traditional email security filters that are programmed to scrutinize unknown or suspicious domains. When recipients clicked on the link, they were directed to a fraudulent login page that perfectly mimicked Microsoft’s authentication portal, prompting them to enter their credentials and thereby unknowingly hand over their session cookies to the attackers, granting them direct and persistent access to the compromised accounts.
Once inside the system, the attackers moved with precision and stealth to solidify their foothold and prepare for the next stage of their operation without alerting the user or security systems. Their first action was to establish a set of inbox rules within the compromised accounts. These rules were specifically designed to automatically delete any incoming emails, particularly security alerts from IT departments or automated system notifications that might warn of suspicious login activity. Furthermore, messages were programmed to be marked as “read” immediately upon arrival, ensuring that the user’s inbox appeared undisturbed. This meticulous digital housekeeping allowed the threat actors to operate undetected, effectively transforming the compromised email account into a covert surveillance hub. From this vantage point, they could monitor ongoing conversations, study communication patterns, and identify high-value targets for their subsequent, much larger phishing campaign, all while the legitimate account holder remained completely unaware of the malicious activity happening right under their nose.
2. Escalation and Evasive Maneuvers
With unauthorized access secured and their presence concealed, the threat actors swiftly escalated the incident from a targeted compromise to a widespread phishing campaign. Leveraging the treasure trove of information within the compromised inboxes, they launched an assault involving over 600 emails sent to a broad spectrum of contacts. These recipients were not chosen at random; they were carefully selected from recent email threads, ensuring a high degree of relevance and a greater likelihood of engagement. The targets included internal colleagues, external partners, and clients, which significantly expanded the potential attack surface and increased the risk of multiple, simultaneous breaches across different organizations. This method of propagation is particularly insidious because the phishing emails came from a legitimate, trusted account, making them far more convincing than typical spam messages. The attackers exploited the existing professional relationships and the inherent trust associated with the compromised user’s identity to spread their malicious links far and wide, creating a cascading effect of potential compromises.
The threat actors demonstrated a high level of operational sophistication by actively managing the compromised accounts to maintain their cover and ensure the campaign’s longevity. They continuously monitored the mailboxes for any signs of detection, such as undelivered email notifications or out-of-office replies, and promptly deleted them to prevent the legitimate user from noticing any irregularities in their account activity. In instances where a recipient became suspicious and replied to question the authenticity of a sent email, the attackers were ready to intervene. They would respond directly from the compromised account, providing false assurances and confirming the email’s legitimacy to quell any doubts. Immediately after sending their deceptive reply, they would delete the entire conversation thread—both the recipient’s query and their own response—leaving no trace of the interaction for the account’s rightful owner to discover. This active, hands-on management allowed the attackers to maintain persistence and navigate potential roadblocks, keeping their victims completely in the dark while the malicious operations continued unabated.
A Reassessment of Modern Security Measures
The investigation into this campaign revealed that traditional security responses, such as forcing a password reset, were insufficient for complete remediation. Attackers who successfully execute an AiTM attack steal active session cookies, which can grant them continued access even after a password has been changed. Furthermore, threat actors often register their own multi-factor authentication (MFA) methods, such as a personal phone number, to the compromised account. This allows them to re-authenticate and regain access by bypassing the new password. Therefore, a comprehensive remediation strategy had to involve revoking all active user sessions to invalidate the stolen cookies, meticulously inspecting and removing any malicious inbox rules, and resetting all MFA settings to remove any unauthorized devices or methods added by the attackers. This incident underscored the critical need for security protocols that extend beyond credential management and address the persistence mechanisms employed by modern adversaries.
