Researchers warn of large-scale AiTM attacks targeting business users


A new large-scale phishing campaign has been observed that uses adversary-in-the-middle (AitM) techniques to circumvent security measures and compromise corporate email accounts.

“It uses an adversary-in-the-middle (AitM) attack technique that can bypass multi-factor authentication,” Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report. “The campaign is specifically designed to target end-users in companies using Microsoft’s email services.”

Prominent targets include fintech, lending, insurance, energy, manufacturing and federal credit unions in the US, UK, New Zealand and Australia.

It is not the first time such a phishing attack has come to light. Last month, Microsoft announced that since September 2021, more than 10,000 organizations have been targeted by AitM techniques to hack into accounts secured with multi-factor authentication (MFA).

The ongoing campaign, which will take effect in June 2022, will begin with an invoice-themed email sent to targets that includes an HTML attachment containing a phishing URL.

Opening the attachment through a web browser redirects the email recipient to the phishing page masquerading as a Microsoft Office login page, but not before fingerprinting the compromised machine to determine whether the victim is actually the target. target.

AitM phishing attacks go beyond traditional phishing approaches designed to loot credentials from unwitting users, especially in scenarios where MFA is enabled – a security barrier that prevents the attacker from logging into the account with only the stolen credentials.

To get around this, the rogue landing page developed using a phishing kit functions as a proxy capturing and forwarding all communications between the client (ie the victim) and the email server.

“The kits intercept the HTML content received from the Microsoft servers and before it is sent back to the victim, the content is manipulated by the kit in various ways to ensure that the phishing process works,” the researchers said. .

This also includes replacing all links to the Microsoft domains with equivalent links to the phishing domain to ensure that the bouncing back and forth with the fraudulent website remains intact throughout the session.

Zscaler said it saw the attacker manually log into the account eight minutes after the credentials theft, followed up by reading emails and checking the user’s profile information.

In addition, in some cases, the hacked email inboxes are then used to send additional phishing emails as part of the same campaign to carry out corporate email compromise (BEC).

“While security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered a panacea for protecting against phishing attacks,” the researchers noted.

“Using advanced phishing kits (AiTM) and smart evasion techniques, threat actors can bypass both traditional and advanced security solutions.”