Organizations in the energy sector are facing a growing threat from a sophisticated AiTM phishing campaign, Microsoft warns. The attacks, which have targeted multiple entities within the sector, rely on convincing phishing emails to compromise enterprise accounts, bypassing traditional email detection methods and evading standard identity compromise responses.
The phishing emails, with subject lines like “NEW PROPOSAL – NDA,” appear to come from trusted sources. These emails contain links to fake login pages that capture users’ credentials and session cookies. Once attackers have access to the session cookies, they can log in from different IP addresses, delete incoming emails, mark others as read, and create inbox rules to facilitate future attacks.
This operational complexity makes AiTM attacks particularly dangerous, as they don’t just rely on stealing passwords. Attackers can manipulate a compromised inbox to spread further phishing emails to contacts, effectively turning the victim’s account into a platform for additional attacks. The attackers then proceed to delete any undelivered responses or out-of-office replies to cover their tracks, while responding to those who question the legitimacy of the email, convincing them that it’s safe.
Remediation and prevention: Microsoft advises impacted organizations to take immediate and comprehensive action. Password resets alone are insufficient. In addition to resetting passwords, organizations must revoke active session cookies and remove any inbox rules created by the attackers to evade detection. They should also ensure that multi-factor authentication (MFA) remains in place to provide an additional layer of security.
While phishing-resistant MFA options, such as FIDO2 security keys, passkeys, or certificate-based authentication, are the most effective at preventing AiTM attacks, the implementation of any MFA is still a critical step in protecting accounts from unauthorized access. Microsoft stresses that despite the evolution of phishing techniques, MFA continues to be a highly effective defense against a wide variety of threats.
This AiTM phishing campaign targeting the energy sector underscores the evolving threat landscape and the need for organizations to adopt advanced security measures beyond basic password protection. By combining MFA with vigilant monitoring and immediate remediation steps, businesses can better safeguard against such complex cyberattacks.
