Microsoft has warned organizations about a sophisticated cyberattack campaign aimed at companies in the energy sector. The attacks combine advanced phishing methods with business email compromise techniques. According to Microsoft’s security researchers, the goal is to steal credentials and gain long-term access to corporate email accounts. The findings highlight growing cyber risks for critical infrastructure.
The campaign uses a technique called adversary-in-the-middle phishing, also known as AiTM. This method allows attackers to intercept login sessions between users and legitimate services. Unlike basic phishing, these attacks are designed to bypass traditional security protections. Some versions can even get around certain multi-factor authentication setups.
The attack usually begins with a convincing email sent to energy sector employees. These messages often look like real business communications, such as proposals or contract-related updates. Many include links that appear to lead to trusted platforms like document-sharing services. This makes the emails difficult for users to immediately identify as malicious.
When a victim clicks the link, they are redirected to a fake login page that closely copies a legitimate Microsoft sign-in screen. Once credentials are entered, attackers capture both the login details and the session cookie. This cookie allows attackers to access the account without logging in again. As a result, account control can continue silently.
After gaining access, attackers quietly take control of the compromised inbox. They create hidden email rules that delete or move incoming messages. Some emails are marked as read to avoid raising suspicion. These steps help attackers remain undetected for extended periods.
The attackers then use the compromised account to continue the campaign. They send additional phishing emails to internal colleagues and external business contacts. These follow-up messages often contain similar malicious links. This allows the attack to spread across multiple accounts and organizations.
Microsoft noted that these attacks are complex and cannot be fixed by password resets alone. Organizations must also revoke active login sessions and remove any malicious inbox rules. Without these steps, attackers may regain access even after credentials are changed. Proper cleanup is critical to stopping the threat.
Security experts say the campaign shows how attackers abuse trusted tools and normal workflows. Email and cloud platforms are widely used in the energy sector, making them effective attack vectors. The warning serves as a reminder that layered security and user awareness remain essential. Critical infrastructure organizations must stay alert as these threats continue to evolve.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
