Adversary-in-the-middle (AiTM) phishing techniques are being used by malicious parties to bypass multi-factor authentication (MFA) in Office365 [5]. This poses a significant threat to the security of user identities and sensitive information.
Description
Microsoft has warned about the increasing use of AiTM techniques deployed through phishing-as-a-service (PhaaS) platforms. These platforms include both new AiTM-capable PhaaS platforms and established phishing services that have added AiTM capabilities [4]. Attackers are using stolen credentials and session cookies to access users’ mailboxes and carry out business email compromise (BEC) campaigns [1].
The attackers set up adversary-in-the-middle (AiTM) phishing sites [1], where a proxy server is deployed to redirect recipients of phishing emails to lookalike landing pages designed to capture credentials and MFA information [1]. This allows them to conduct large-scale phishing campaigns that attempt to bypass MFA protections [2] [7].
Phishing kits with AiTM capabilities use reverse proxy servers and synchronous relay servers to capture user credentials [2] [7], two-factor authentication codes [2] [3] [6] [7], and session cookies [1] [2] [4] [5] [7]. The phishing page acts as an AiTM agent [1], intercepting the authentication process and extracting valuable data [1]. The actor group Storm-1295 offers synchronous relay services to other attackers [2].
Microsoft has identified a phishing campaign targeting Office 365 users [1], using the Evilginx2 phishing kit for AiTM attacks [1]. The attackers send email messages with voice message-themed lures and malware-laced attachments to redirect users to credential-stealing landing pages [1]. The users are then routed to the legitimate office[. [1]]com website, but not before the attackers obtain control over the compromised account by siphoning session cookies [1].
The ultimate goal of these attacks is to steal session cookies [2] [7], granting threat actors access to privileged systems without reauthentication [2] [7]. Incident response procedures for AiTM attacks require the revocation of stolen session cookies [2] [4] [7].
Microsoft emphasizes that while AiTM phishing attempts to bypass MFA [1], MFA implementation remains essential for identity security [1]. Microsoft emphasizes the importance of using MFA methods like Microsoft Authenticator [4], FIDO2 security keys [4], and certificate-based authentication to secure identities [4].
Conclusion
AiTM phishing techniques pose a serious threat to the security of Office365 users. These attacks bypass MFA and can lead to session hijacking, follow-on BEC attacks, payment fraud [5], and unauthorized access to private financial documents [5].
The detection and mitigation of AiTM attacks require continuous monitoring and adaptive detection mechanisms. It is crucial for organizations to implement strong security measures, such as MFA methods recommended by Microsoft, to protect against evolving phishing techniques.
As cybercriminals continue to develop new ways to overcome existing protections [5], it is essential for users and organizations to stay vigilant and proactive in their security practices.
References
[1] https://thehackernews.com/2022/07/microsoft-warns-of-large-scale-aitm.html
[2] https://www.linkedin.com/pulse/phishing-as-a-service-gets-smarter-microsoft-sounds-alarm-aitm/
[3] https://jeffreyappel.nl/protect-against-aitm-mfa-phishing-attacks-using-microsoft-technology/
[4] https://www.infosecurity-magazine.com/news/microsoft-aitm-uptick-phishing/
[5] https://www.makeuseof.com/microsoft-aitm-phishing-attacks-warning/
[6] https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/defender-experts-chronicles-a-deep-dive-into-storm-0867/ba-p/3911769
[7] https://www.redpacketsecurity.com/phishing-as-a-service-gets-smarter-microsoft-sounds-alarm-on-aitm-attacks/
