Large-scale AiTM phishing campaign targeted +10,000 orgs since 2021

A large-scale phishing campaign used adversary-in-the-middle (AiTM) phishing sites to hit more than 10,000 organizations

Microsoft observed a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and bypass the authentication process even when the victim has enabled the MFA.

In AiTM phishing, threat actors set up a proxy server between a target user and the website the user wishes to visit, which is the phishing site under the control of the attackers. The proxy server allows attackers to access the traffic and capture the target’s password and the session cookie. 

Once obtained the credentials and session cookies to access users’ mailboxes, threat actors launched business email compromise (BEC) campaigns against other targets. Microsoft experts believe that the AiTM phishing campaign was used to target more than 10,000 organizations since September 2021.

The landing pages used in this campaign were designed to target Office 365 authentication process by posing as the Office online authentication page. Microsoft researchers noticed that the operators behind this campaign use the Evilginx2 phishing kit as their AiTM infrastructure.

In some of the attacks observed by the experts, threat actors used phishing emails with an HTML file attachment. In order to trick victims into opening the attachment, the message informed the recipients that they had a voice message.

“This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable” reads the analysis published by Microsoft. “By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.”

Once the attackers have captured the session cookie, they have injected it into their browser to skip the authentication process, even if the recipient enabled the MFA for his account. 

Microsoft recommends organization to adopt MFA implementation “phish-resistant” by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.

Microsoft also recommends enabling conditional access policies every time an attacker attempts to use a stolen session cookie, and monitoring for suspicious or anomalous activities, such as sign-in attempts with suspicious characteristics and unusual mailbox activities.

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks.” concludes the report. “While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, AiTM phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]