More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites.
Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA.
Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie.
Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies.
Phishing using AITM
By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure.
Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”
“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.”
After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account.
Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."
Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations.
“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.
