Home > Cyber News > Adversary-in-the-Middle (AiTM) Phishing Attacks Target Numerous Organizations

Adversary-in-the-Middle (AiTM) Phishing Attacks Target Numerous Organizations

Adversary-in-the-Middle (AiTM) Phishing Attacks Target Numerous Organizations

Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) detailed a large-scale phishing campaign that utilized the so-called adversary-in-the-middle (AiTM) phishing sites. The sites were deployed to harvest passwords, hijack sign-in sessions, and skip authentication processes, including MFA (multi-factor) authentication.

The stolen credentials and session cookies were later deployed to access victims’ mailboxes and carry out business email compromise (BEC) attacks against other individuals. According to Microsoft’s threat data, the AiTM phishing operation attempted to compromise more than 10,000 organizations since it was initiated in September 2021.

What Is Specific about AiTM Phishing?

“In AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (that is, the site the attacker wishes to impersonate),” Microsoft explained. This setup helps attackers steal and intercept the potential victim’s password and session cookie thus obtaining an ongoing, authenticated session with the website. It should be underlined that AiTM phishing is not related to a vulnerability in multi-factor authentication. Since the technique attempts to steal the session cookie, the attacker is authenticated to a session on the user’s behalf, regardless of the sign-in method.

“Based on our analysis, these campaign iterations use the Evilginx2 phishing kit as their AiTM infrastructure. We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds,” Microsoft added.

In terms of how initial access was obtained, emails about supposed voice messages containing HTML file attachments were sent to recipients in multiple organizations. Once opened, the file would load in the user’s browser to display a page informing the victim that the voice message was being downloaded.

Earlier this year, security researchers detailed a new phishing attack called browser-in-the-browser (BitB). The attack could be leveraged to simulate a browser window within the browser to spoof a legitimate domain, thus increasing the credibility of the phishing attempt.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree