Microsoft has raised alarms about a sophisticated multi-stage adversary-in-the-middle (AitM) phishing campaign targeting the energy sector. Attackers exploited SharePoint to deliver phishing links, using trusted email accounts to lend credibility to their messages. By mimicking legitimate SharePoint workflows, they tricked users into clicking links that led to fake credential prompts. Once they gained access to victim accounts, the attackers set up inbox rules to delete incoming emails and mark them as read, effectively covering their tracks while launching further phishing attacks. One notable incident involved the attackers sending over 600 phishing emails to contacts of a compromised user, both internally and externally. They deleted undelivered emails and reassured recipients about the authenticity of the messages, further obscuring their activities. Microsoft emphasized that simply resetting passwords won’t suffice; organizations must revoke session cookies and delete any inbox rules set up by the attackers. It remains unclear how many organizations were affected or if a known cybercrime group is behind this campaign. The article also highlights a broader trend of threat actors exploiting trusted services like Google Drive and AWS for phishing. This approach saves attackers from having to maintain their own infrastructure while making their activities appear legitimate. In a related development, Okta reported on custom phishing kits used in voice phishing campaigns targeting major platforms. These kits allow attackers to control the authentication flow in real time, potentially bypassing multi-factor authentication. Techniques like homoglyph attacks, where malicious domains closely mimic legitimate ones, add another layer of deception, making it easier for attackers to mislead victims.