Credential Harvesting Against Cloud Email Accounts Using Adversary-in-the-Middle Toolkit

Between 8 and 12 April 2026, investigators observed a credential-harvesting phishing campaign targeting legal-sector cloud email users. Attackers used a spoofed Microsoft 365 login hosted at https://sharepoint-docs-verify.com/client-review, operated as an adversary-in-the-middle to capture credentials and session cookies, and later abused compromised accounts for internal phishing and mailbox forwarding—suggesting objectives of business email compromise, internal reconnaissance, and long-term mailbox access.