The threat described is a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign primarily targeting organizations in the energy sector. The attack begins with phishing emails sent from compromised legitimate email accounts belonging to trusted organizations, leveraging the familiarity and trust associated with SharePoint file-sharing services. These emails contain links that redirect victims to fake credential prompts designed to harvest login credentials. Once credentials and session cookies are stolen, attackers create inbox rules that automatically delete incoming emails and mark them as read, effectively hiding their activities from the victim. This allows the attackers to maintain persistence within the compromised accounts and conduct extensive intra- and inter-organizational phishing campaigns, sending hundreds of emails to contacts to expand their reach. The attackers also delete undelivered and out-of-office messages and reassure recipients to maintain trust and avoid detection. The campaign uses the living-off-trusted-sites (LOTS) technique, weaponizing legitimate cloud services like SharePoint and OneDrive to bypass email security filters and detection mechanisms. Microsoft emphasizes that simple password resets are insufficient for remediation; organizations must revoke active session tokens and remove malicious inbox rules. The campaign reflects a broader trend of threat actors abusing trusted cloud platforms to stage phishing and malware delivery, complicating detection and defense. Microsoft recommends deploying phishing-resistant multi-factor authentication (MFA), conditional access policies, continuous access evaluation, and advanced anti-phishing tools that monitor both emails and visited websites. The attack's operational complexity and stealth tactics make it a significant threat to targeted organizations.

For European organizations, particularly those in the energy sector, this threat poses substantial risks to confidentiality, integrity, and availability of critical communications and data. Successful compromise can lead to unauthorized access to sensitive corporate information, disruption of business operations through manipulation or deletion of emails, and potential lateral movement within and across organizations. The use of trusted cloud services like SharePoint to deliver phishing payloads increases the likelihood of successful attacks by bypassing traditional email security filters. Persistent access through inbox rule manipulation allows attackers to maintain long-term footholds, increasing the risk of further exploitation such as financial fraud, intellectual property theft, or sabotage. Given the strategic importance of energy infrastructure in Europe, such attacks could have cascading effects on national security and economic stability. The stealthy nature of the campaign complicates detection and response, potentially allowing attackers to operate undetected for extended periods. Additionally, the campaign's scale and use of legitimate internal identities to propagate phishing increase the risk of widespread compromise within interconnected organizations. The medium severity rating reflects the significant operational impact balanced against the need for some user interaction and initial phishing success.

European organizations should implement a multi-layered defense strategy tailored to the specific tactics used in this campaign. First, deploy phishing-resistant multi-factor authentication (MFA) methods such as hardware security keys (FIDO2/WebAuthn) to prevent credential theft leading to account compromise. Second, enforce conditional access policies that restrict access based on device compliance, location, and risk signals to limit attacker movement. Third, implement continuous access evaluation to promptly revoke active sessions and tokens upon detection of suspicious activity. Fourth, regularly audit and monitor mailbox rules for unauthorized changes, and automate alerts for suspicious inbox rule creations or modifications. Fifth, deploy advanced anti-phishing solutions that analyze email content, URLs, and user behavior, including scanning links in real-time and blocking LOTS (living-off-trusted-sites) techniques. Sixth, conduct targeted user awareness training focused on recognizing sophisticated phishing tactics leveraging trusted cloud services and homoglyph attacks. Seventh, establish incident response playbooks that include steps for revoking session cookies, removing malicious inbox rules, and restoring mailbox integrity. Finally, collaborate with identity providers and cloud service vendors to leverage their security features and threat intelligence for proactive defense.