A large-scale phishing campaign has been spotted using Adversary-in-the-Middle (AitM) techniques to bypass security protections. The aim behind the attacks is to compromise enterprise email accounts and exploit them further.

A large-scale phishing campaign

Researchers from Zscaler spotted the campaign targeting enterprise end users using Microsoft's email services. 
  • It starts with the use of an invoice-themed email being sent to targets containing an HTML attachment, enclosing a phishing URL added within it.
  • Opening the attachment in the browser redirects the email recipient to the phishing page, a fake login page for Office while fingerprinting the machine to verify the correct target.
  • Additionally, the attackers used different methods, such as open redirect pages hosted by Google Ads and Snapchat, to load the phishing page URL instead of the rogue URL directly in the email.

The attack campaign is in action since June and has already targeted multiple victims. AitM phishing attacks help criminals obtain credentials from potential victims, even in cases where MFA is enabled.

Who are the targets?

The prominent targets belong to lending, insurance, manufacturing, fintech, energy, and federal credit union organizations based in the U.K, the U.S., Australia, and New Zealand.

More details from the campaign

The researchers spotted the attacker logging inside the account after eight minutes of credential theft, suspected to be via manual login. After that, they read emails and checked the user's profile details.
  • In some cases, the hacked email inboxes of enterprises are used to send additional phishing emails as part of the same campaign to carry out BEC attacks.
  • The different versions of the observed campaigns have used one common type of phishing kit as their AitM infrastructure known as Evilginx2.
  • Further, genuine online code editing services identified as Glitch and CodeSandbox are used to increase the shelf life of the campaign.


By using advanced tactics such as AitM and modern sophisticated phishing kits, the attackers are able to bypass security solutions. This attack provides a good example of why MFA alone is not sufficient and emphasizes the need for multiple layers of security for robust protection.
Cyware Publisher