Dissecting the Multi-Stage AiTM Campaign: A Security Operations Playbook
Microsoft's busy celebrating their 2026 security awards. Meanwhile, threat actors keep getting better at what they do. The recent Microsoft Security Blog post on the resurgent multi-stage Adversary-in-the-Middle (AiTM) phishing campaign abusing SharePoint? That's a wake-up call.
I've spent the last few years building and scaling MDR services at Crayon. I've seen these phishing campaigns firsthand. They're smart, they bypass traditional defenses, and they work. This is a practical incident response playbook based on Microsoft's latest threat intel and my own operational experience.
Understanding the Multi-Stage AiTM Attack Chain
This campaign shows how phishing tactics keep evolving. It's not just credential harvesting anymore. The attackers use legitimate SharePoint infrastructure to build trust while running session hijacking through AiTM techniques in the background.
Here's how the typical attack flows:
- Initial Compromise: Spear-phishing emails with SharePoint links
- Trust Exploitation: Legitimate SharePoint URLs bypass URL filtering
- Credential Harvesting: AiTM proxy captures credentials and session tokens
- Session Hijacking: Immediate use of stolen sessions for Business Email Compromise (BEC)
- Persistence: Additional account compromise for sustained access
The SharePoint abuse is what makes this nasty. In my experience monitoring multi-tenant environments, SharePoint-based threats fly under the radar constantly. Why? The initial touchpoint looks completely legitimate. Your users trust SharePoint. Your filters trust SharePoint. The attackers know this.
Detection Strategies: Advanced Hunting in Defender XDR
Microsoft Defender XDR's Advanced Hunting gives us unified visibility across identities, endpoints, email, and cloud apps. Here are the hunting queries I've developed:
Hunting for SharePoint Phishing URLs in Emails
// Find emails containing SharePoint links followed by suspicious clicks
EmailUrlInfo
| where Timestamp > ago(24h)
| where UrlDomain endswith "sharepoint.com" or UrlDomain endswith "sharepoint-df.com"
| join kind=inner (
EmailEvents
| where Timestamp > ago(24h)
| where EmailDirection == "Inbound"
) on NetworkMessageId
| join kind=leftouter (
UrlClickEvents
| where Timestamp > ago(24h)
| where IsClickedThrough == true
) on Url
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, Url, UrlDomain, IsClickedThrough
| where isnotempty(IsClickedThrough)
Detecting AiTM Session Token Theft
// Identify suspicious sign-in patterns indicating session hijacking
AADSignInEventsBeta
| where Timestamp > ago(6h)
| where Application contains "SharePoint"
| where RiskLevelDuringSignIn in ("medium", "high") or RiskState == "atRisk"
| project Timestamp, AccountUpn, IPAddress, SessionId, Application, RiskLevelDuringSignIn, City, Country
| join kind=inner (
AADSignInEventsBeta
| where Timestamp > ago(6h)
| where Application !contains "SharePoint"
| project Timestamp, AccountUpn, IPAddress, Application, City
) on AccountUpn
| where IPAddress != IPAddress1
| where datetime_diff('minute', Timestamp1, Timestamp) between (0 .. 30)
| summarize
InitialAccess = min(Timestamp),
SessionHijackTime = min(Timestamp1),
TargetApps = make_set(Application1),
SuspiciousIPs = make_set(IPAddress1)
by AccountUpn, IPAddress
Hunting for BEC Activity Post-Compromise
// Detect inbox rule creation after suspicious SharePoint access
CloudAppEvents
| where Timestamp > ago(24h)
| where ActionType == "New-InboxRule"
| extend RuleConfig = tostring(RawEventData.Parameters)
| where RuleConfig contains "ForwardTo" or RuleConfig contains "RedirectTo" or RuleConfig contains "DeleteMessage"
| join kind=inner (
AADSignInEventsBeta
| where Timestamp > ago(24h)
| where Application contains "SharePoint"
| where RiskLevelDuringSignIn != "none"
| project AccountUpn, SharePointAccess = Timestamp, RiskLevel = RiskLevelDuringSignIn
) on $left.AccountObjectId == $right.AccountUpn
| where datetime_diff('hour', Timestamp, SharePointAccess) between (0 .. 6)
| project Timestamp, AccountUpn, ActionType, RuleConfig, SharePointAccess, RiskLevel
Cross-Domain Attack Correlation
// Unified view: Email → SharePoint click → Session compromise → BEC
let timeWindow = 24h;
let suspiciousClicks =
UrlClickEvents
| where Timestamp > ago(timeWindow)
| where UrlDomain contains "sharepoint"
| where IsClickedThrough == true
| project ClickTime = Timestamp, AccountUpn, Url;
let riskySignIns =
AADSignInEventsBeta
| where Timestamp > ago(timeWindow)
| where RiskLevelDuringSignIn in ("medium", "high")
| project SignInTime = Timestamp, AccountUpn, IPAddress, Application;
let inboxChanges =
CloudAppEvents
| where Timestamp > ago(timeWindow)
| where ActionType in ("New-InboxRule", "Set-InboxRule", "Set-Mailbox")
| project RuleTime = Timestamp, AccountObjectId, ActionType;
suspiciousClicks
| join kind=inner riskySignIns on AccountUpn
| where datetime_diff('hour', SignInTime, ClickTime) between (0 .. 2)
| join kind=leftouter inboxChanges on $left.AccountUpn == $right.AccountObjectId
| project AccountUpn, ClickTime, SignInTime, RuleTime, IPAddress, Application, ActionType
| order by ClickTime desc
Immediate Response Actions
When these detections fire, time matters. Here's our incident response playbook:
Phase 1: Containment (0-15 minutes)
- Revoke user sessions: Use Microsoft Graph PowerShell to invalidate all active sessions
- Disable affected accounts: Temporary disable to prevent further access
- Block suspicious IPs: Add to conditional access policies if patterns emerge
Phase 2: Investigation (15-60 minutes)
- Analyze SharePoint access logs: Look for document downloads, sharing modifications
- Review email activity: Check for rule creation, message forwarding, sent items
- Assess lateral movement: Monitor sign-ins to other applications post-compromise
Phase 3: Eradication (1-4 hours)
- Reset credentials: Force password reset and MFA re-registration
- Remove malicious rules: Delete any forwarding or redirect rules
- Review SharePoint permissions: Audit and remove suspicious sharing permissions
Building Resilient Defenses
Beyond reactive measures, this campaign shows why proactive defenses matter:
Conditional Access Enhancements: Implement location-based restrictions for SharePoint access. This is especially important for external sharing activities.
Zero Trust Email Security: Deploy Microsoft Defender for Office 365 with Safe Links configured for SharePoint documents.
User Education: Regular training on SharePoint phishing. Focus on URL verification techniques. People need to know what to look for.
Session Management: Implement shorter session lifetimes for SharePoint external access.
In our multi-tenant operations at Crayon, we've found that combining these technical controls with regular threat hunting exercises significantly cuts successful compromise rates.
Where to Start
Implement the detection queries above in your Defender XDR environment. Adapt them to your tenant. Review your SharePoint security posture, particularly external sharing policies and conditional access rules.
Then run a tabletop exercise simulating a SharePoint-based compromise. Find the gaps in your playbook before a real incident does.