top of page
Buscar

The Fortress Under Siege: Multi-Stage AitM and BEC Attacks Breach the Energy Sector

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 1 hora
  • 3 Min. de lectura

Fortresses rarely fall because their walls are weak. They fall because trusted gates are opened, guards are impersonated, and defenders are misled. This is precisely how a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign has breached energy-sector organizations. By abusing trusted SharePoint workflows, internal identities, and legitimate cloud services, attackers silently seized accounts, established persistence, and turned compromised inboxes into launchpads for large-scale internal and external fraud.


Phase 1 — The trusted gate: abusing SharePoint as a battering ram


The attack begins not with brute force, but with trust. Threat actors leverage email accounts that were already compromised within trusted organizations, using them to send phishing messages that impersonate legitimate SharePoint document-sharing workflows. Because these emails originate from real internal or partner identities and reference widely used enterprise services like SharePoint and OneDrive, they blend seamlessly into normal business communication.

This technique, often described as living-off-trusted-sites (LOTS), weaponizes familiarity. Employees are conditioned to click SharePoint links, collaborate through shared documents, and respond quickly to internal requests. The fortress gates open willingly.


Phase 2 — The false courtyard: credential capture via AitM phishing


Once a recipient clicks the shared document link, they are redirected to a counterfeit document portal designed to look legitimate. Behind the façade, the page operates as an adversary-in-the-middle phishing site, harvesting both credentials and active session cookies.

Unlike traditional phishing, this method allows attackers to immediately hijack authenticated sessions, bypassing basic MFA protections. Password resets alone are insufficient at this stage, because the attackers already possess valid session tokens that grant access to the account.

This marks the moment the attackers are fully inside the fortress.


Phase 3 — Silencing the guards: inbox rule abuse and persistence


With control of the mailbox, the attackers move quickly to secure their position. They create malicious inbox rules that automatically delete incoming emails or mark them as read, effectively blinding the victim to unusual activity. Out-of-office messages and delivery failure notices are also removed to reduce the chance of detection.

These techniques are standard in BEC operations and are designed to ensure persistence while keeping the legitimate user unaware that their account has been commandeered.


Phase 4 — Turning the fortress outward: lateral phishing and BEC


Once persistence is established, the compromised account becomes a weapon. Attackers reuse the trusted identity to send phishing emails at scale, both internally and externally. In one observed case, more than 600 phishing emails were sent from a single compromised mailbox.

Recipients who question the legitimacy of the message may even receive reassuring replies from the attacker, reinforcing trust before the conversation — and evidence — is erased from the mailbox. At this stage, the campaign expands across organizations, enabling further credential theft, impersonation, and BEC-style financial fraud.

The fortress is no longer just breached — it is actively aiding the siege of others.


What was compromised — Beyond passwords


The impact of this campaign extends well beyond stolen usernames and passwords. Compromised assets include:

  • User credentials and MFA-protected session cookies

  • Full control of email inboxes and mail flow

  • Trusted internal and partner identities

  • The ability to impersonate users for BEC fraud

  • Persistent access through hidden inbox rules

  • A scalable platform for internal and cross-organization phishing

This combination allows attackers to sustain long-term access and amplify the attack without deploying malware.


Measures to reinforce the fortress


To defend against this class of attack, organizations must focus on identity, session control, and trusted-service abuse — not just passwords.

Recommended defensive measures:

  • Enforce phishing-resistant MFA (e.g., FIDO2 / certificate-based authentication)

  • Revoke active session cookies and tokens after suspected compromise

  • Audit and remove attacker-created inbox rules across mailboxes

  • Implement conditional access policies and continuous access evaluation

  • Monitor for abnormal SharePoint and OneDrive sharing activity

  • Detect LOTS abuse involving trusted cloud services

  • Strengthen email security to identify internal-origin phishing

  • Train users to verify unexpected document-sharing requests


This campaign highlights a hard truth: modern fortresses are no longer breached by breaking walls, but by abusing trust. Cloud services, collaboration platforms, and internal identities have become both the defenders and the attack surface.

As long as trusted services are implicitly trusted and session tokens remain valid after compromise, attackers will continue to bypass traditional controls. Defending the fortress today requires continuous verification, aggressive session management, and the assumption that trust can — and will — be weaponized.

The walls still matter. But the gates matter more.



The Hacker News


 
 
 

Comentarios

bottom of page