Energy Companies Hit by Phishing Campaign That Abuses SharePoint to Steal Credentials

Microsoft Defender researchers uncovered a sophisticated phishing campaign targeting multiple energy sector organizations. The attackers combined adversary in the middle credential theft with business email compromise, abusing SharePoint file sharing to make their attacks appear legitimate. Once inside one organization, they used compromised accounts to spread to partners and suppliers.

How the Attack Worked

The campaign began on January 19, 2026 and was quickly detected by Microsoft's threat hunters. According to Tanmay Ganacharya, VP of Microsoft Threat Protection, the activity was disrupted rapidly once identified. But the attack demonstrated concerning sophistication in how quickly it spread.

The initial compromise used adversary in the middle techniques, commonly called AiTM attacks. These work by positioning the attacker between the victim and the legitimate login page. When the victim enters their credentials and completes multi factor authentication, the attacker captures the session cookie that proves authentication was successful. This lets attackers bypass MFA entirely.

SharePoint as a Weapon

What made this campaign particularly effective was its use of SharePoint. After compromising initial accounts, attackers used legitimate SharePoint file sharing to deliver phishing payloads. The emails appeared to come from trusted colleagues sharing normal business documents.

Recipients who clicked the SharePoint links were redirected to AiTM phishing pages. Because the initial email came from a real colleague at a real organization, standard email security checks saw nothing suspicious. The attack leveraged trust relationships between people who regularly collaborate.

Persistence Through Inbox Rules

The attackers maintained access through a technique that often goes unnoticed: creating inbox rules. By setting up rules to automatically move or delete certain emails, attackers could hide evidence of their activity from compromised users. Even if the user noticed something suspicious, they would not see the full scope of what was happening in their account.

Some attackers went further by tampering with MFA settings. They added new authentication methods pointing to attacker controlled phones. Even if the organization reset the compromised password and revoked sessions, the attacker could still authenticate using their own registered MFA device.

Cross Organization Spread

Once attackers controlled accounts inside energy companies, they launched large scale phishing campaigns targeting both internal colleagues and external contacts. The campaign spread to multiple organizations across the energy sector supply chain.

This pattern of using compromised legitimate accounts to attack partners represents one of the most challenging threats for security teams. Traditional email security focuses on external threats. When the attack comes from a real account at a trusted organization, many defenses fail.

Why Energy Companies Were Targeted

The energy sector represents a high value target for both financial criminals and nation state actors. These organizations often have complex supply chains with numerous partners and contractors. That complexity creates more opportunities for attackers to exploit trust relationships.

Business email compromise in the energy sector can lead to fraudulent wire transfers, theft of intellectual property, or access to operational technology systems. The sector has seen increasing attacks as criminals recognize the potential payoffs.

What Organizations Should Do

Microsoft emphasized that password resets alone are insufficient after this type of compromise. Organizations must also revoke active session cookies and remove any inbox rules attackers created. Failing to do both leaves the door open for continued access.

For longer term protection, organizations should consider phishing resistant authentication methods. FIDO2 security keys, passkeys, and certificate based authentication cannot be stolen through AiTM attacks because the authentication is tied to the specific device. Unlike traditional MFA where the attacker can capture and replay the authentication, these methods verify the actual device is present.

Conditional access policies add another layer by evaluating additional signals before allowing access. Even with valid credentials and MFA, access can be blocked based on unusual location, device status, or risk scores calculated from user behavior patterns.