The energy sector has long been a prime target for high-level cyber espionage, but a recent wave of attacks has shown just how effectively hackers can turn a standard office tool into a backdoor. Security researchers at Microsoft recently went public with details on a campaign where Microsoft SharePoint was exploited to infiltrate multiple energy firms. This was not a simple smash-and-grab job. It was a methodical, multi-stage operation that used the inherent trust users have in their daily collaboration tools to bypass multi-factor authentication.
The attackers did not start by trying to break down the front door. Instead, they compromised trusted vendors first and then used those legitimate accounts to send out phishing lures. Because the emails came from known partners and featured familiar document-sharing themes, they slipped right past the usual mental filters employees have for suspicious mail.
The mechanics of the silent takeover
Once the attackers got a foot in the door, they utilized an “Adversary in the Middle” or AiTM technique. When a user clicked the link in the email, thinking they were opening a standard proposal or NDA, they were sent to a fake login page. This page acted as a bridge, capturing the user’s credentials and their active session token in real time.
This is a massive headache for security teams because it means even if the employee had multi-factor authentication enabled, the hackers were able to ride the coattails of that successful login. With that session cookie in hand, the attackers had full access to the corporate inbox without ever needing to provide a second code. After getting in, they immediately set up inbox rules to delete incoming emails and mark them as read. This effectively blinded the actual account owner to any security alerts or warnings from colleagues.
Turning one compromise into hundreds
The scale of this energy firms cyberattack became apparent in the second phase. The hackers did not just sit quietly in one inbox. They used the compromised accounts to send out over 600 new phishing emails to contacts both inside and outside the targeted organizations. They specifically targeted people involved in recent email threads to make the messages look as authentic as possible.
In a move that shows a high level of operational maturity, the attackers actually monitored the hijacked inboxes for replies. If someone wrote back asking if the link was legitimate, the hacker would reply personally to reassure them before quickly deleting the evidence. By acting as the “helpful colleague,” they were able to keep the scam going much longer than a typical automated bot would.
Why standard fixes are falling short
For years, the gold standard for fixing a hacked account has been a simple password reset. However, this incident shows why that is no longer enough. Because Microsoft SharePoint was exploited to steal session tokens, a password change does nothing to kick the attacker out of an active, hijacked session.
The Microsoft Defender team noted that they had to work with these energy firms to revoke active session cookies and undo changes the attackers made to MFA settings. In some cases, the hackers had added their own backup devices to the accounts to ensure they could get back in even if the initial password was changed. It highlights a shift in the landscape where “logging in” has replaced “breaking in” as the primary threat.
Microsoft confirmed that the specific campaign targeting these energy firms was identified and disrupted in late January 2026. While the immediate threat has been contained, the tactics used are expected to be adopted by other groups throughout the year.
