SharePoint abuse tied to renewed AiTM phishing and BEC activity

Microsoft says attackers are using trusted file-sharing workflows to compromise accounts and expand business email compromise operations.

What happened

Microsoft Defender Security Research identified a renewed adversary in the middle phishing campaign directed at energy sector organizations. The attack begins with SharePoint file links sent from trusted accounts that had already been compromised, making the messages appear legitimate. When recipients opened the links, they were pulled into fake sign-in flows that allowed attackers to hijack active sessions. From there, the access is used to take over additional accounts and launch business email compromise activity across multiple organizations. Microsoft said the campaign was detected and disrupted using Defender telemetry across affected tenants.

Going deeper

The campaign begins with phishing emails sent from legitimate vendor or partner accounts that had been compromised earlier. These messages used SharePoint document-sharing themes to prompt authentication, allowing attackers to capture session tokens rather than just passwords. After gaining access, the attackers create inbox rules that delete or mark messages as read to suppress user awareness. They then used the compromised accounts to send hundreds of phishing emails internally and externally, selecting recipients from recent email threads and distribution lists. As more users interact with the links, additional accounts are compromised through the same AiTM technique, allowing the campaign to expand laterally and persist across organizations.

What was said

Microsoft described the multi-stage adversary-in-the-middle phishing and business email compromise campaign in a January 21, 2026, security blog post, warning that standard response steps often do not go far enough. The company said that “password resets alone are insufficient,” noting that attackers can keep access by abusing valid session artifacts even after credentials are changed. In one example, Microsoft explained that after the initial compromise, “the attacker later signed in with another IP address and created an Inbox rule with parameters to delete all incoming emails on the user’s mailbox and marked all the emails as read,” allowing the activity to continue without detection. The post said the campaign abused SharePoint file sharing and showed “the operational complexity of AiTM campaigns and the need for remediation beyond standard identity compromise responses.” Microsoft advised organizations to revoke active sessions, remove malicious inbox rules, review MFA and conditional access settings, and watch for unusual sign-in behavior.

In the know

In a separate SharePoint-related intrusion previously reported by BleepingComputer, attackers linked to China abused Microsoft SharePoint environments to access sensitive US systems. The activity did not involve obvious malware. Instead, attackers relied on standard collaboration features, allowing the intrusion to blend in with routine file-sharing and authentication traffic.

Investigators said the case shows how SharePoint access can be reused after an initial breach. Shared documents, existing permissions, and active sessions give attackers ways to move through an environment and stay connected without attracting attention. That same pattern appears in what Microsoft is now warning about in AiTM-driven phishing and business email compromise campaigns, where trusted cloud collaboration tools become the entry point rather than a technical vulnerability.

The big picture

The FBI’s Internet Crime Complaint Center makes one thing clear in its 2024 report: business email compromise keeps costing organizations. Last year alone, more than 21,000 BEC complaints were filed, with reported losses of about $2.77 billion. What stands out most is that BEC incidents do not involve malware or technical break-ins. Instead, attackers work inside normal business email traffic, using trusted accounts, familiar file-sharing tools, and ongoing conversations to convince someone to send money.

The report also shows an interesting gap: phishing and spoofing emails are reported far more often, but BEC causes far greater financial damage when it does succeed. That is because these messages do not look suspicious. They look like work. Reducing the risk means paying attention to how emails behave in context, how logins are reused, and whether a message fits the normal pattern of the sender. Protections like Paubox’s new inbound email security are built to catch those signals early, before routine-looking emails turn into costly mistakes.

FAQs

What makes AiTM phishing different from traditional phishing?

AiTM attacks intercept authentication sessions in real time, allowing attackers to steal session tokens instead of passwords.

Why is SharePoint frequently used in these campaigns?

SharePoint links are common in enterprise workflows, which reduces suspicion and increases the likelihood that users will authenticate.

Why are inbox rules important to attackers?

Malicious rules suppress warning messages, replies, and alerts, allowing attackers to remain undetected for longer periods.

Does multi-factor authentication stop AiTM attacks?

It reduces risk but does not fully prevent session hijacking without additional controls such as conditional access and token revocation.

What steps should organizations take after an AiTM compromise?

They should revoke session cookies, remove inbox rules, review MFA settings, audit sign-in logs, and apply risk-based access controls.