Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) detailed a large-scale phishing campaign that utilized the so-called adversary-in-the-middle (AiTM) phishing sites. The sites were deployed to harvest passwords, hijack sign-in sessions, and skip authentication processes, including MFA (multi-factor) authentication.
The stolen credentials and session cookies were later deployed to access victims’ mailboxes and carry out business email compromise (BEC) attacks against other individuals. According to Microsoft’s threat data, the AiTM phishing operation attempted to compromise more than 10,000 organizations since it was initiated in September 2021.
What Is Specific about AiTM Phishing?
“In AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (that is, the site the attacker wishes to impersonate),” Microsoft explained. This setup helps attackers steal and intercept the potential victim’s password and session cookie thus obtaining an ongoing, authenticated session with the website. It should be underlined that AiTM phishing is not related to a vulnerability in multi-factor authentication. Since the technique attempts to steal the session cookie, the attacker is authenticated to a session on the user’s behalf, regardless of the sign-in method.
“Based on our analysis, these campaign iterations use the Evilginx2 phishing kit as their AiTM infrastructure. We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds,” Microsoft added.
In terms of how initial access was obtained, emails about supposed voice messages containing HTML file attachments were sent to recipients in multiple organizations. Once opened, the file would load in the user’s browser to display a page informing the victim that the voice message was being downloaded.
Earlier this year, security researchers detailed a new phishing attack called browser-in-the-browser (BitB). The attack could be leveraged to simulate a browser window within the browser to spoof a legitimate domain, thus increasing the credibility of the phishing attempt.