Microsoft is warning about an increase in Adversary-in-the-Middle (AiTM) phishing techniques, which are being used as part of the Phishing-as-a-Service (PhaaS) cybercrime model. This advancement within the PhaaS ecosystem allows attackers to carry out extensive phishing campaigns aimed at c on a large scale, stated Microsoft researchers in a series of posts on X (formerly Twitter).
Diving into details
Phishing kits incorporating AiTM capabilities operate using two approaches.
- The first involves the utilization of reverse proxy servers, where the phishing page serves as an intermediary between the user's device and the legitimate website.
- This process captures the user's login details, 2FA codes, and session cookies without detection.
- The second method employs synchronous relay servers. Here, the target encounters a replica of a sign-in page, similar to common phishing attacks.
Why this matters
- The primary aim of these attacks is to steal session cookies, allowing malicious actors to gain entry to privileged systems without needing to authenticate again.
- The intention behind developing AiTM session cookie theft techniques is to bypass MFA.
- Unlike conventional phishing attacks, dealing with AiTM incidents necessitates the revocation of stolen session cookies.
AiTM phishing attacks by different groups
In June, Microsoft warned against a phishing and BEC attack campaign targeting banking and financial organizations, exploiting trusted vendor relationships to launch financial fraud. The attackers used an AiTM phishing kit developed by a threat group called Storm-1167, sending out over 16,000 emails to target contacts and adding a new SMS-based 2FA method to avoid detection.
Meanwhile, the actor group known as Storm-1295, responsible for developing the Greatness PhaaS platform, provides synchronous relay services to other attackers. This service enables cybercriminals to effectively target business users of Microsoft 365's cloud service using authentic-looking decoy and login pages. Greatness has reportedly been operational since at least mid-2022.
The bottom line
Microsoft's recent warning sheds light on the escalating threat posed by AiTM phishing techniques within the PhaaS ecosystem. These advancements have allowed attackers to orchestrate extensive phishing campaigns on a significant scale, bypassing MFA safeguards. As cybercriminal sophistication continues to grow, organizations must implement comprehensive cybersecurity measures to combat these evolving threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/00f8_Shutterstock_2257935625.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_125855471.jpg)
