AiTM phishing campaign also targets G Suite users

The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign now target Google G Suite users

The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services were spotted targeting Google G Suite users.

In AiTM phishing, threat actors set up a proxy server between a target user and the website the user wishes to visit, which is the phishing site under the control of the attackers. The proxy server allows attackers to access the traffic and capture the target’s password and the session cookie. 

Once obtained the credentials and session cookies to access users’ mailboxes, threat actors launched business email compromise (BEC) campaigns against other targets. Microsoft experts believe that the AiTM phishing campaign was used to target more than 10,000 organizations since September 2021.

Beginning in mid-July 2022, researchers from the security firm Zscaler started observing AiTM phishing attacks against G Suite users. These attacks are quite similar to the ones that targeted Microsoft users in past months. Experts observed the same attacks’ TTPs and also an overlap of infrastructure, in some cases, the attackers switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure.

“This campaign specifically targeted chief executives and other senior members of various organizations which use G Suite.” reads the analysis published by ZScaler. “it is important to note that AiTM phishing kits can be used to target various websites and bypass multi-factor authentication. By using phishlets crafted to target a specific legitimate website, attackers can quickly re-use the AiTM phishing technique against a new target website.”

The researchers pointed out the Gmail AiTM phishing campaign had a much lower volume of targets compared to the Microsoft AiTM phishing attack.

The attack chain starts with emails containing a malicious link. This link leverages multiple levels of redirection and abuses Open Redirect pages to redirect the users to Gmail phishing domain.

The phishing messages impersonated Google and pretended to be password-expiry reminder emails urging recipients to click the link to “Extend their access.”

Threat actors also performed a fingerprinting on the client to determine whether it is a real user or an automated analysis system.

One of the redirection processes employed by the threat actors abused Open Redirect pages of Google Ads and Snapchat. This process is similar to the one observed in the Microsoft AiTM phishing campaign.

Another variant of the attack employed compromised websites hosting a Base64-encoded version of the second stage redirector and the victim’s email address in the URL. Attackers used JavaScript hosted on compromised domains as an intermediate redirector.

In one of the attacks analyzed by Zscaler, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was updated to conduct an AiTM phishing attack against G Suite users.

“It is important to understand that such attacks are not limited to only Microsoft and Gmail enterprise users. An attacker can bypass multi-factor authentication protection on many different services using this method.” concludes the report. “Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, AiTM phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]