Signal

Energy-sector phishing: sharepoint-abused aitm/bec plus credential-led RMM persistence

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-01-22 19:18 UTCUpdated 2026-01-23 13:19 UTC

rss

phishingaitmbecsharepointenergy_sectorcredential_theft

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (3)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

Phishers Abuse SharePoint in New Campaign Targeting Energy Sector

SecurityWeek · News · securityweek.com · 2026-01-23 13:19 UTC

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

The Hacker News · News · thehackernews.com · 2026-01-23 11:18 UTC

limited source diversity in top sources

View all evidence

Overview

Microsoft and follow-on coverage report a multi-stage AitM phishing and BEC campaign targeting energy-sector organizations, where attackers abuse SharePoint file-sharing to deliver phishing payloads and use inbox rule creation to maintain persistence and reduce user visibility.

Score total

1.06

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

Microsoft has issued a warning about the multi-stage AitM/BEC campaign targeting energy firms.
Independent coverage echoes SharePoint abuse for payload delivery in the same energy-focused activity.
Researchers disclosed a separate credential-led campaign installing LogMeIn RMM for persistence.

Why it matters

Abusing SharePoint file-sharing can make phishing payload delivery look routine.
Inbox rule creation can help attackers persist and evade user awareness.
Legitimate RMM tooling can provide durable remote access without custom malware.

LLM analysis

Topic mix: mediumPromo risk: lowSource quality: high

Recurring claims

Threat actors are abusing SharePoint file-sharing to deliver phishing payloads in AitM phishing and BEC campaigns targeting energy-sector organizations.
Phishing activity is leveraging stolen credentials to deploy legitimate RMM software (LogMeIn) for persistent remote access.

How sources frame it

Microsoft Defender Security Research Team: neutral
SecurityWeek: neutral
KnowBe4 Threat (as Cited By The Hacker News): neutral

Two posts align on SharePoint-abused AitM/BEC activity targeting energy; one additional phishing/RMM item is related but distinct.

All evidence

Phishers Abuse SharePoint in New Campaign Targeting Energy Sector

SecurityWeek · securityweek.com · 2026-01-23 13:19 UTC

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

The Hacker News · thehackernews.com · 2026-01-23 11:18 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

SecurityWeek (1)
The Hacker News (1)

Top origin domains (this list)

securityweek.com (1)
thehackernews.com (1)