AiTM Phishing Attacks

Researchers warn of large-scale AiTM attacks targeting enterprise users

A new large-scale phishing campaign using discount-in-the-middle (AitM) techniques has been observed to circumvent security protections and compromise enterprise email accounts.

“It uses an opponent’s attack in the middle (AitM) technology that is capable of bypassing multifactor authentication,” Zscaler researchers Sudeep Singh and Jagadiswar Ramanukulano said in a Tuesday report. “The campaign is specifically designed to reach end users in organizations that use Microsoft email services.”

Notable targets include fintech, lending, insurance, energy, manufacturing, and a Federal Credit Union located in the United States, United Kingdom, New Zealand and Australia.

cyber security

This is not the first time that a phishing attack has appeared. Last month, Microsoft revealed that more than 10,000 organizations have been targeted since September 2021 with AitM technologies to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, as of June 2022, begins with an invoice-theme email sent to Targets with an HTML attachment, which has a phishing URL embedded in it.

AiTM Phishing Attacks

Opening the attachment via a web browser redirects the email recipient to a phishing page masquerading as a Microsoft Office login page, but not before fingerprinting the compromised device to determine if the victim is indeed the intended target.

AitM phishing attacks bypass traditional phishing tactics designed to steal credentials from unwilling users, particularly in scenarios where MFA is enabled – a security barrier that prevents an attacker from logging into an account with only the stolen credentials.

AiTM Phishing Attacks

To circumvent this, the rogue landing page has been developed using a phishing suite that acts as a proxy that captures and transmits all communications between the client (i.e. the victim) and the email server.

“The groups intercept the HTML content received from Microsoft servers, and before sending it back to the victim, the content is manipulated by the group in various ways as needed, to ensure that the phishing process is working,” the researchers said.

cyber security

This also entails replacing all links to Microsoft domains with links equivalent to a phishing domain to ensure that transmissions and receipts remain intact with the fraudulent website throughout the session.

Zscaler said it noticed the attacker manually logging into the account eight minutes after the credentials were stolen, following him up by reading emails and checking user profile information.

What’s more, in some cases, the compromised email boxes are subsequently used to send additional phishing emails as part of the same campaign to conduct Business Email Scams (BEC).

The researchers noted that “although security features such as multi-factor authentication (MFA) add an extra layer of security, it should not be considered a silver bullet to protect against phishing attacks.”

“By using advanced phishing combinations (AiTM) and intelligent evasion techniques, threat actors can bypass both traditional and advanced security solutions.”


Leave a Comment

Your email address will not be published.