Microsoft revealed details of an extensive phishing campaign that not only pilfer the passwords of the victims but was also able to bypass MFA. The attackers used a tactic known as Adversary-in-the-Middle (AiTM). They, subsequently, used the stolen credentials to conduct BEC attacks against other targets.

What is AiTM phishing?

  • It involves the adversary deploying a proxy server between the target user and the website they want to visit. 
  • This enables the attacker to intercept and steal the target’s passwords and session cookies.
  • It should be noted that this doesn’t constitute a flaw in MFA. Since the attacker steals session cookies, they get authenticated irrespective of the victim’s sign-in method.

The phishing campaign

  • The attackers have targeted over 10,000 organizations since September 2021.
  • They spoofed the Office online authentication page to target Office 365 users. 
  • In order to steal session cookies, the attackers deployed a web server that proxies HTTP packets from the user, when they visit the website that the attackers wish to impersonate.
  • This phishing technique is especially convenient for threat actors since they don’t have to build their own phishing sites, unlike traditional phishing.

What’s next?

Once authenticated, the attackers started conducting payment fraud by authenticating to Outlook to access emails and files related to finance. Furthermore, the attackers deleted the original phishing email from the victim’s inbox to hide initial access traces.

The bottom line

Cyber threats are evolving rapidly, which has been once again proved by this AiTM phishing tactic. Microsoft has recommended defenders implement conditional access policies, enable anti-phishing software, and monitor for suspicious activities. While this phishing technique attempts to evade MFA, it is essential that users enable MFA as it is effective in thwarting a myriad of other threats.
Cyware Publisher