AI employee training in under two minutes. - Create a Video
AI employee training in under two minutes. - Create a Video
Microsoft 365 Under Attack: How AiTM Phishing via SharePoint Leads to Credential Theft and BEC
-

Microsoft 365 Under Attack: How AiTM Phishing via SharePoint Leads to Credential Theft and BEC

Mark Liapustin Mark Liapustin
Cyber CrimeEmail SecurityPhishingTechnology
April 29, 2026

Introduction

The rise of AiTM phishing in Microsoft 365 environments

adversary-in-the-middle phishing, or AiTM , phishing has become one of the most effective ways to steal Microsoft 365 access. Instead of only collecting a username and password, these attacks can also capture authenticated sessions, including tokens that help attackers get around standard MFA prompts.

That shift matters because many organizations have improved password hygiene, but attackers have adapted. They now focus on stealing the live session after a user signs in, which gives them a faster path to account takeover.

Why trusted SharePoint workflows are being abused by attackers

SharePoint is widely used for file sharing, collaboration, and internal communication. Because employees expect file notifications, document requests, and collaboration prompts, attackers can disguise phishing messages as routine business activity.

A fake SharePoint or Microsoft 365 sharing alert can feel normal enough to click without much scrutiny. That trust lowers the victim’s guard and makes the lure more convincing than a generic phishing email.

How credential theft escalates into business email compromise

Once an attacker gets into a Microsoft 365 account, the goal often moves beyond simple access. They read email threads, learn who approves payments, identify vendors, and then insert themselves into financial conversations.

This is how stolen credentials turn into business email compromise , or BEC. A single compromised inbox can become the launch point for invoice fraud, executive impersonation, and broader internal phishing.

Understanding AiTM Phishing and SharePoint Abuse

What adversary-in-the-middle phishing is

AiTM phishing places a malicious server between the user and the legitimate sign-in page. To the victim, the page appears to be a normal Microsoft login experience. In reality, the attacker is relaying traffic back and forth while collecting sensitive authentication data.

Unlike older phishing kits that only steal passwords, AiTM campaigns are built to capture the full login flow. That can include credentials, session cookies, and tokens that allow the attacker to act as the user.

How attackers intercept sessions, credentials, and MFA tokens

The process usually starts when a victim clicks a phishing link and lands on a convincing fake portal. The victim enters credentials and completes MFA, believing they are signing in to Microsoft 365.

Because the attacker is sitting in the middle of the transaction, they can capture the session artifacts created after successful authentication. In practical terms, this means the attacker may not need to know the MFA method itself, they only need the authenticated session that follows it.

Why Microsoft 365 and SharePoint are high-value targets

Microsoft 365 holds email, calendars, files, chats, contacts, and business workflows in one place. A single successful compromise can expose finance requests, legal documents, HR records, and executive communications.

SharePoint increases that value because it often contains shared files, project spaces, and externally accessible collaboration links. For attackers, it is both a rich data source and a believable theme for phishing lures.

How legitimate file-sharing notifications increase victim trust

Users are trained by daily work to open document links quickly. A message that says someone shared a contract, invoice, or proposal through SharePoint matches normal behavior, especially in remote and hybrid teams.

That familiarity is the advantage. Attackers do not need to invent a strange story when they can mimic a common file-sharing workflow that already feels safe.

How the Attack Chain Works

Delivery through spoofed or compromised email accounts

Many campaigns begin with a phishing email sent from a spoofed domain or a real compromised mailbox. If the message comes from a known vendor, partner, or internal user, the likelihood of engagement rises sharply.

Attackers often keep the message simple, for example, a note that says a file has been shared or a document needs urgent review. The less text there is, the fewer clues there are for the recipient to question it.

Redirecting users to fake Microsoft 365 sign-in portals

After the click, the victim is sent to a page that closely imitates Microsoft branding. The page may use logos, tenant references, and realistic formatting to make the login request feel routine.

Some campaigns add extra redirects or use lookalike domains to hide the final destination. This makes the path harder to inspect and can help the attack avoid casual detection.

Session hijacking and token capture after authentication

When the user signs in and completes MFA, the attacker captures the resulting session token or cookie. This is the key moment in the attack, because it can let the attacker access the account without repeating the same login challenge.

In short, the attacker piggybacks on the user’s legitimate authentication. That is why AiTM phishing is especially dangerous in environments that rely on basic MFA alone.

Account takeover inside Microsoft 365

With access to the account, the attacker typically reviews the mailbox, contact patterns, and recent conversations. They may search for terms like invoice, payment, bank, payroll, gift card, or wire transfer to find high-value threads quickly.

They may also create inbox rules, hide messages, register forwarding rules, or move deeper into OneDrive, SharePoint, and Teams. The longer they remain unnoticed, the more convincing their follow-on activity becomes.

Transition from credential theft to internal and external BEC fraud

Once they understand how your business communicates, attackers can send emails that blend into active conversations. A payment update inserted into an existing thread is far more believable than a cold request from an unknown sender.

This is where the financial damage often occurs. The attacker uses trust already established in the relationship, then redirects funds, changes banking details, or pressures staff into urgent approvals.

Key takeaway:

  • AiTM phishing is not just a login threat, it is often the first step toward account takeover and BEC.
  • SharePoint-themed lures work because they imitate everyday collaboration patterns.
  • Compromised Microsoft 365 accounts give attackers both data access and social credibility.

Common Risks and Business Impact

Unauthorized access to email, files, and collaboration platforms

A compromised Microsoft 365 account can expose much more than email. Attackers may gain access to shared documents, calendars, internal chat history, and project workspaces that reveal how your organization operates.

This broader visibility helps them plan later moves. It also increases the chance that sensitive business data will be copied, altered, or exfiltrated.

Financial fraud through invoice redirection and payment manipulation

BEC commonly leads to fraudulent payment requests. An attacker may modify an invoice, send revised bank details, or impersonate an executive asking for an urgent transfer.

These requests often succeed because they arrive in real conversation threads from a trusted mailbox. By the time the fraud is discovered, funds may already be gone.

Lateral phishing from compromised trusted accounts

Once inside one mailbox, attackers often target coworkers, customers, and vendors using that same account. Since the sender is legitimate, recipients are more likely to open links, approve requests, or share files.

This lateral spread can turn one compromised identity into a wider security incident across departments and business partners.

Data exposure through SharePoint, OneDrive, and Teams access

Cloud collaboration tools make work faster, but they also centralize valuable information. Access to SharePoint and OneDrive may reveal contracts, product plans, employee records, or customer documents.

In some cases, attackers also abuse existing sharing permissions to move sensitive files externally. If external sharing is broad or poorly monitored, data loss can happen quietly.

Compliance, legal, and reputational consequences

Credential theft and BEC incidents often trigger more than operational disruption. If personal data, financial records, or regulated information is exposed, your organization may face reporting obligations, legal review, and customer scrutiny.

The reputational damage can last longer than the technical cleanup. Partners and clients may question whether your communication channels can still be trusted.

Indicators of AiTM and BEC Activity

Unusual login behavior and impossible travel events

One of the earliest warning signs is suspicious authentication activity. This may include sign-ins from unfamiliar locations, impossible travel patterns, or logins at times that do not match the user’s normal behavior.

Security teams should review sign-in logs regularly and correlate them with device and session context, not just successful password use.

Suspicious inbox rule creation and mailbox forwarding

Attackers often create rules that hide their activity. For example, they may automatically move replies about payments into RSS, Archive, or deleted folders so the real user does not notice.

Unexpected forwarding rules are also important to investigate. They can signal an attempt to monitor conversations even after access is disrupted.

Abnormal SharePoint sharing activity

Watch for unusual file access, unexpected sharing invites, or a sudden increase in externally shared documents. These patterns can indicate either account takeover or misuse of collaboration tools after compromise.

It is especially important to review activity tied to sensitive sites, executive folders, and finance or legal workspaces.

Authentication patterns that bypass expected MFA protections

If users appear to authenticate successfully but there are signs of suspicious session reuse, that may point to token theft or session hijacking. Standard MFA reports alone may not tell the full story.

This is why identity monitoring should include session context, device trust, conditional access outcomes, and post-login behavior.

Vendor and executive impersonation in follow-on email threads

BEC often becomes visible when someone notices a strange payment request, a slight change in tone, or a bank account update sent in a live thread. These messages may come from the real mailbox or a lookalike domain.

If a message pressures secrecy, urgency, or payment change without a trusted secondary verification step, it deserves immediate review.

Best Practices to Defend Microsoft 365 Against AiTM and BEC

Enforce phishing-resistant MFA wherever possible

Not all MFA methods provide the same level of protection. Phishing-resistant approaches, such as passkeys or hardware-backed methods, are much harder for AiTM kits to exploit than basic codes delivered through weaker channels.

If your environment still relies heavily on legacy or easily relayed factors, upgrading your MFA strategy should be a priority.

Use conditional access and risk-based authentication controls

Conditional access can limit sign-ins based on device health, location, user risk, or application context. This reduces the chance that a stolen session from an untrusted environment becomes a full compromise.

Risk-based controls are especially useful for forcing step-up verification or blocking suspicious access before attackers can move further.

Restrict anonymous and overly permissive SharePoint sharing

Review how external sharing is configured across SharePoint and OneDrive. Anonymous links and broad default permissions can make data exposure worse after account takeover.

You can reduce risk by limiting public access, shortening link lifetimes, and requiring stronger controls for sensitive content.

Monitor OAuth apps, session activity, and mailbox rules

Attackers do not always stop at the mailbox. They may try to maintain persistence through app consent, forwarding rules, or other account changes that survive a password reset.

Regularly audit connected apps, active sessions, delegation settings, and newly created mailbox rules. These reviews help you find compromise that basic alerting may miss.

Train users to verify file-sharing requests and login prompts

User awareness still matters, but it should be practical and specific. Teach employees to pause before opening unexpected SharePoint notifications, especially when they involve urgency, external senders, or unusual login prompts.

Short just-in-time education is often more effective than annual training alone. Real examples of current lures help users recognize what they are likely to see.

Implement strong vendor payment verification workflows

Because BEC often targets payments, finance processes need independent safeguards. Bank detail changes, invoice updates, and wire requests should be confirmed through a separate trusted channel.

A simple callback to a known contact number can stop a costly mistake. The key is to verify using information already on file, not the details provided in the email.

Segment privileged accounts and apply least-privilege access

Administrative access should be tightly separated from everyday email and collaboration use. If a standard user account is compromised, the blast radius should remain limited.

Least-privilege design also reduces unnecessary access to sensitive SharePoint sites, executive mailboxes, and financial workflows.

Recommended Security Features for Microsoft 365 Protection

Advanced email authentication with SPF, DKIM, and DMARC

Email authentication helps receiving systems determine whether a message is authorized to use your domain. SPF, DKIM, and DMARC work together to reduce spoofing and improve domain trust.

They are not a complete defense against BEC or account takeover, but they are an important foundation for reducing impersonation risk.

Real-time phishing and impersonation detection

Modern email security needs to evaluate sender behavior, display name tricks, domain similarity, and message context in real time. Static reputation checks alone are not enough for fast-moving phishing campaigns.

This matters especially for SharePoint-themed lures, where the email may look normal on the surface but still contain subtle impersonation signals.

URL scanning and malicious link protection

Because the phishing click is the entry point, link inspection is essential. Security tools should analyze URLs at the time of delivery and, where possible, at the time of click to catch delayed weaponization.

This helps block fake Microsoft 365 login pages and other malicious destinations used to harvest credentials or sessions.

Account takeover and anomalous behavior monitoring

After a mailbox is compromised, behavior often changes. You may see unusual login context, abnormal outbound mail patterns, or mailbox changes that support fraud or persistence.

Monitoring these signals helps detect compromise quickly, especially when the attacker is using a real account instead of a spoofed one.

Outbound email protection to stop compromise-driven abuse

Inbound filtering is only half of the picture. If an internal mailbox is taken over, outbound monitoring can help stop phishing, impersonation, or fraud messages before they reach customers, partners, or coworkers.

This is important for containing BEC fallout and preserving trust in your domain.

Data loss prevention and secure file-sharing controls

Security should not end with threat detection. Sensitive messages and files need policy controls that reduce accidental or malicious exposure during everyday communication.

Encryption, access restrictions, and data handling policies all play a role in protecting regulated or confidential content.

Security awareness reinforcement at the point of attack

The best training often happens when a user is about to act. Contextual warnings, banners, and in-the-moment prompts can help employees pause before clicking a suspicious SharePoint-themed link or replying to a risky request.

That immediate reinforcement is especially useful against AiTM attacks that rely on speed and familiarity.

How Trustifi Supports Protection Against AiTM Phishing and BEC

Stops phishing emails before they reach Microsoft 365 users

Trustifi fits into this problem at the email layer, where many AiTM campaigns begin. Its email security capabilities are designed to help identify and block phishing threats before users interact with malicious messages inside Microsoft 365.

That early interception matters because preventing the click is the simplest way to break the attack chain before credential theft, token capture, or account takeover can occur.

Detects impersonation and suspicious sender behavior in real time

BEC attacks often rely on impersonation, display name abuse, or lookalike domains that feel legitimate at a glance. Trustifi helps analyze these risks in real time so suspicious messages can be flagged or stopped before they blend into normal business communication.

This is particularly useful when attackers mimic executives, vendors, or internal users to trigger urgent payment or document requests.

Protects against malicious links used in SharePoint-themed phishing

SharePoint-themed phishing depends on convincing users to click a document or login link. Trustifi’s protection features can help inspect and block malicious URLs that lead to fake Microsoft 365 portals or other phishing infrastructure.

By reducing exposure to dangerous links, you lower the odds that a trusted-looking file-sharing email turns into an AiTM compromise.

Helps reduce account takeover fallout with outbound email security

If an attacker gains access to a mailbox, the next danger is often outbound abuse. Trustifi supports outbound email security controls that can help identify suspicious sending behavior and reduce the spread of compromise-driven phishing or fraudulent messages.

That containment is valuable for limiting internal lateral phishing, protecting external partners, and reducing the business impact of BEC.

Secures sensitive communications and attachments from exposure

Trustifi also supports secure communication through features such as email encryption and protected file handling, which can help reduce data exposure when sensitive information is shared by email. For organizations managing confidential records, this supports both security and privacy goals.

In practice, this means you can add protection to messages and attachments that should not be freely accessible if an inbox is misused or intercepted.

Strengthens overall protection for Microsoft 365 collaboration workflows

Microsoft 365 security works best as a layered strategy across email, identity, user behavior, and data protection. Trustifi adds value by strengthening the email and secure communication layers that attackers commonly target first.

It is not a replacement for phishing-resistant MFA, conditional access, or SharePoint governance. Instead, it complements those controls by helping stop malicious messages, reduce impersonation risk, support encrypted communication, and improve resilience against BEC-related abuse.

Where Trustifi helps most:

  • Blocking phishing and impersonation attempts before they reach users.
  • Inspecting suspicious links used in Microsoft 365 and SharePoint-themed lures.
  • Helping contain outbound abuse from compromised accounts.
  • Supporting encryption and protected communication for sensitive email content.
  • Reinforcing compliance and data protection efforts as part of a broader security stack.

Conclusion

AiTM phishing is turning trusted Microsoft 365 workflows into attack paths

AiTM phishing is effective because it abuses trust, not just technology. When attackers disguise themselves inside familiar Microsoft 365 and SharePoint workflows, normal user behavior can become the entry point to compromise.

SharePoint-themed lures make credential theft and BEC more convincing

Fake file-sharing alerts and login prompts are powerful because they match how people already work. That realism helps attackers capture sessions, take over accounts, and launch BEC activity that looks legitimate from the inside.

Organizations need layered defenses across email, identity, and collaboration tools

To reduce risk, you need more than one control. Phishing-resistant MFA, conditional access, sharing restrictions, behavioral monitoring, secure email defenses, and protected communication should work together.

If you treat email, identity, and collaboration as one connected attack surface, you will be in a much stronger position to stop AiTM phishing before it turns into business email compromise.

sphere shield no background png image
Protect Microsoft 365 from AiTM phishing and BEC See how Trustifi helps stop phishing, detect impersonation, secure sensitive email communications, and reduce the fallout from compromised Microsoft 365 accounts.
Request a demo today
Mark Liapustin
Mark Liapustin
Chief Information Security Officer (CISO)

As CISO at Trustifi, leads the Email Managed Detection and Response (EMDR) Team, delivering cutting-edge email security solutions to clients worldwide. With years of expertise in Web Application and Email Security, brings deep technical knowledge and strategic foresight to the fight against evolving email threats. Focused on innovation and excellence, drives the development of advanced security solutions while ensuring Trustifi remains at the forefront of email security technology.

Related Posts