Thousands of Organizations Hit by Massive AiTM Phishing Campaign —


Thousands of Organizations Hit by Massive AiTM Phishing Campaign

Microsoft this week released details of a large-scale phishing campaign that has targeted more than 10,000 organizations since September 2021.

The report, published by the Microsoft 365 Defender research team, provided an in-depth analysis of a global phishing campaign that leveraged opponent-in-the-middle (AiTM) phishing tools and techniques to target businesses and organizations. According to the report:

A large-scale phishing campaign that used opponent-in-the-middle (AiTM) phishing sites was stealing passwords, hijacking a user’s login session, and bypassing the authentication process even though the user had enabled multi-factor authentication (MFA). The attackers then used the stolen credentials and session cookies to gain access to affected users’ mailboxes and perform business email compromise (BEC) campaigns against other targets.

AiTM phishing attacks work by creating a malicious proxy server between a website and a targeted user. Once a user visits the compromised site, attackers steal login credentials (usernames and passwords) and session cookies connected to authenticated sessions. This stolen session cookie can render MFA meaningless because the user has already confirmed their identity in a previous session.

Microsoft tracked AiTM campaign activity through Microsoft 365 and discovered that the anonymous group was using the Evilginx2 phishing kit to target organizations with links (usually via email) that sent users to a malicious page that mimicked the main Office online authentication page.

In a common case, a phishing email alerted the user that they had a new voicemail message. Once the malicious link was clicked, a browser window opened and displayed a fake status bar with a downloaded .MP3 file. Clicking it would then launch the fake Office authentication page.

Once on the page, coding hooks on the back-end would validate the victim’s email and autofill it into the visited page, adding legitimacy to the redirected site. Once the user enters their credentials, the page would be redirected to the real page to add a level of legitimacy.

Microsoft said the majority of actions seen involved financial fraud. The research team observed attempts by attackers to access finance-related emails and to access email attachments multiple times per day. They also took steps to cover their tracks by deleting the original phishing email from the victim’s inbox.

While the report indicates that Microsoft 365 Defender is capable of detecting these complex phishing techniques, an organization can add another level of protection to their website by coupling multi-factor authentication with custom Conditional Access policies that look for markers identity, such as IP location, device status, and group membership.

Additionally, it is recommended to include additional security solutions for AiTM attacks. “Invest in advanced anti-phishing solutions that monitor and analyze incoming emails and visited websites,” reads the report. “For example, organizations can take advantage of web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign.”

Finally, educating end users on how to spot these phishing attempts will help reduce the success rate of these phishing attempts. “Track login attempts with suspicious characteristics (eg, location, ISP, user agent, use of anonymization services),” Microsoft said.

Comments are closed.