Energy Firms Hit by Sophisticated AiTM Phishing Attacks

A sophisticated phishing campaign is actively targeting companies within the critical energy sector, aiming to hijack corporate email accounts through a method known as Adversary-in-the-Middle (AiTM) attacks. Microsoft security researchers have issued a detailed warning about this ongoing threat, which cleverly bypasses standard email security filters and multi-factor authentication (MFA) protections.

The operation begins with a deceptive email. The message appears to come from a trusted, albeit compromised, external organization. Its subject line, often reading “NEW PROPOSAL – NDA,” is designed to look like routine business correspondence. Inside, a link directs the recipient to a SharePoint URL that seems legitimate at first glance. This combination of a believable sender and a familiar platform link effectively evades traditional email security scans.

Clicking the link does not lead to a document. Instead, the user is taken to a fraudulent login page that mimics a legitimate Microsoft sign-in portal. This is the core of the AiTM technique. As the user enters their credentials, the attackers’ infrastructure silently captures the username and password. It then forwards these details to the real Microsoft login page. Crucially, it also intercepts the session cookie returned after a successful authentication, which includes the MFA token. This gives the attackers everything they need to impersonate the victim without needing the actual password again.

With this stolen session cookie, the threat actors log into the victim’s mailbox from a separate IP address. Their first action is to establish persistence and hide their tracks. They create an inbox rule that automatically deletes all incoming emails and marks them as read. This stealthy maneuver prevents the victim from seeing any notification emails about the new login or subsequent malicious activity.

The compromised account then becomes a launchpad for a wider attack. The attackers use the hijacked mailbox to send hundreds of new phishing emails to all of the victim’s contacts. To maintain the ruse, they meticulously monitor the outbox. Any undelivered messages or automatic out-of-office replies are deleted from the Archive folder. If a contact replies to question the email’s legitimacy, the attackers craft a convincing response to alleviate suspicion before deleting that entire email thread from the mailbox. Recipients who click the new malicious link face the same AiTM trap, potentially spreading the compromise exponentially across supply chains and partner organizations.

Microsoft emphasizes that responding to such an incident requires more than just resetting passwords. Password resets alone are insufficient. Impacted organizations in the energy sector must additionally revoke active session cookies and remove attacker-created inbox rules used to evade detection. Companies must also audit their MFA settings to ensure attackers have not registered a new device or phone number to receive one-time codes.

While AiTM attacks are specifically crafted to bypass traditional MFA, enabling MFA remains a critical defense layer. “While AiTM phishing attempts to circumvent MFA, implementation of MFA still remains an essential pillar in identity security and highly effective at stopping a wide variety of threats,” the researchers noted. For the strongest protection, organizations should consider adopting phishing-resistant authentication methods. These include FIDO2 security keys, passkeys, and certificate-based authentication, which are far more difficult for AiTM attacks to defeat compared to SMS or push-notification codes.

(Source: HelpNet Security)