Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsEnergy Sector Orgs Targeted with AiTM Phishing Campaign
Energy Sector Orgs Targeted with AiTM Phishing Campaign
Cybersecurity

Energy Sector Orgs Targeted with AiTM Phishing Campaign

•January 22, 2026
0
Help Net Security
Help Net Security•Jan 22, 2026

Companies Mentioned

Microsoft

Microsoft

MSFT

Why It Matters

Energy firms face heightened operational risk as stolen session cookies bypass traditional MFA, enabling large‑scale credential harvesting and email manipulation. The attack underscores the urgency for stronger identity protection across critical infrastructure.

Key Takeaways

  • •Phishing emails spoof trusted energy organization addresses
  • •Fake SharePoint login harvests credentials and session cookies
  • •Attackers add inbox rules to delete and hide emails
  • •Compromised accounts launch further AiTM phishing to contacts
  • •FIDO2 keys and passkeys recommended over SMS MFA

Pulse Analysis

The energy sector has become a prime target for advanced phishing because its organizations manage critical infrastructure and often possess valuable data. Attackers exploit this by compromising legitimate email accounts, a tactic that blends social engineering with technical finesse. By embedding a seemingly innocuous SharePoint link in a “NEW PROPOSAL – NDA” subject line, they bypass many conventional email filters, leveraging the trust users place in familiar internal communications. This approach reflects a broader trend where threat actors prioritize credential‑stealing techniques that can be amplified across an organization’s network.

At the core of this campaign is an Account‑in‑the‑Middle (AiTM) strategy that steals session cookies after victims enter credentials on a counterfeit login page. Unlike simple password theft, cookie hijacking grants attackers immediate access without triggering MFA prompts, allowing them to create inbox rules that silently purge incoming messages and mask their activity. The use of specific IP addresses for sign‑in further evades detection by appearing as legitimate remote access. Once the compromised mailbox is under control, the attackers weaponize the victim’s contact list, dispatching hundreds of follow‑up phishing URLs that propagate the AiTM technique to new targets, effectively turning each victim into a relay node.

Mitigating such attacks requires more than routine password resets. Organizations must revoke active session cookies, audit and remove unauthorized inbox rules, and verify that no rogue MFA policies have been added. Deploying phishing‑resistant authentication methods—such as FIDO2 security keys, passkeys, or certificate‑based solutions—provides a stronger barrier against cookie theft. Coupled with continuous user education and advanced threat detection that monitors anomalous sign‑in behavior, these measures can significantly reduce the attack surface for energy firms and other critical‑infrastructure entities.

Energy sector orgs targeted with AiTM phishing campaign

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...