The LOTS campaign: phishing, supplanting and AitM that SharePoint uses to steal credentials and remain within the organization

A few days ago, Microsoft researchers put on the table a case that should turn the alarms on any security team: a coordinated campaign that combines phishing, identity supplanting within the mail and a more sophisticated technique known as adversary-in-el-medium (AitM), directed especially against energy sector organizations. The striking is not so much the novelty of the methods as the combination and patience with which they are executed., taking advantage of legitimate services like SharePoint to make the deceit look safe.

The scenario is repeated with an effective logic: first a reliable account - usually belonging to a partner or supplier - is compromised and from there "document sharing" notifications are sent using SharePoint's usual image and flows. The link leads to a forged form that requests credentials; when the victim delivers them, the attackers not only keep the password, but take advantage of the active session (cookies) to keep access without the owner noticing.

Once inside, attackers usually implement rules in the inbox that erase incoming messages and mark emails as read. That trick allows them to operate with stealth: the victim does not see the warnings or the answers of those who receive the fraudulent emails, and any notice sent by third parties can be intercepted or removed. With the compromised mailbox, the adversaries launch new waves of phishing from a "trust" identity, rapidly expanding the campaign's reach and affecting both internal and external contacts.

Microsoft describes this mode of operating as a variant of the "living-off-trusted-sites" (LOTS) approach, which consists of supporting itself on legitimate platforms - SharePoint, OneDrive, Google Drive, Confluence, etc. - so that malicious links look true and thus circumvent list or reputation-based controls. You can read the technical analysis that Microsoft posted on its security blog here: Multistage AitM phishing and BEC campaign abusing SharePoint.

This type of attack reveals two uncomfortable truths: first, that changing the password is not always enough; and second, that attackers expect and plan later steps to stay within the environment. Revocating active sessions, removing rules created by the attacker and verifying changes in MFA settings are essential tasks after an intrusion, according to Microsoft itself.

In addition, the social engineering landscape is evolving. Okta has documented phishing kits designed for vishing campaigns - the phone scam in which the attacker impersonates as technical support - and that allow to synchronize what the scam says on the phone with what the user sees in the browser, controlling in real time the authentication flow. The result is a capacity to neutralize authentication methods that are not phishing resistant. Okta's report on these campaigns is available here: Phishing kits adapt to the script of callers.

Technical tricks are also reborn with "basic" but effective tricks: the insertion of credentials in URLs (the classic username: password @ domain) can be used to show a known domain before the @ symbol, even if the browser ends up connecting to a malicious domain that appears after the @. Netcraft has documented and explained it in detail, reminding us that the appearance of a URL can be deliberately misleading: Retro phishing: Basic auth URLs make a comic in Japan.

The techniques of homoglyphs also continue to be used, where letters are replaced by visually similar combinations (e.g. "rn" and "m") to create domains that appear to be legitimate. Netcraft has told how this tactic continues to bear fruit for the attackers, because many users process URLs in a superficial way and do not analyze each character: The lower-tech homogenph that won't die.

In the face of all this, the recommendations are not magical, but they are essential: organizations must move towards methods of authentication that resist phishing - such as FIDO2 keys or other certificate-based mechanisms - and deploy conditional access policies that respond to real-time risk. Microsoft also advises enabling continuous access assessment to revoke sessions and tokens when abnormal activity is detected; official documentation explains how these capabilities work: Security defences and Continuous access evaluation.

From an operational perspective, it is essential that IT and security equipment include in their processes the verification and removal of tray rules, the revocation of sessions and the audit of MFA changes. It is also essential that there be coordination with identity providers and incident response teams, because isolated measures - such as a simple password restoration - may not cut off all the persistence routes that the attackers have already created.

For the individual user, it is appropriate to keep some practical precautions: distrust of emails requesting credentials to "see a document," check the actual URL before entering data, avoid approving MFA requests initiated by unexpected calls or messages and report any suspicious mail to the security team. When deception comes on the phone, the synchronization between what the attacker says and what appears on screen is precisely the key to fraud; maintaining a critical attitude and checking through official channels is a simple but effective barrier.

The recent case shows a greater trend: attackers prefer to take advantage of reliable platforms and services to gain legitimacy and reduce the cost of building their own infrastructure. Netcraft has followed similar incidents where shared storage services are used to distribute both phishing links and malicious software, which shows that the tactic is transverse and persistent: Shared document spam delivers remote access tool.

In short, defence is no longer only technical but also organizational and human. A mix of advanced technological controls and safety culture within the company is needed to detect and neutralize campaigns that exploit trust between partners and the ubiquity of collaborative platforms. Recent incidents are a reminder: let us not underestimate neither the cunning of the attackers nor the importance of apparently "minor" operational tasks such as reviewing mail rules or revoking active sessions.

If you work in security, check the technical guides that link up and prioritize the implementation of phishing-resistant MFA, conditional access policies and mediation processes that include rule cleaning and tokens. If you are a user, keep reasonable suspicion against unexpected requests and always consult on official channels before delivering credentials or approving access.