DEV-1101 AiTM phishing kit is fueling large-scale phishing campaigns

Microsoft warns of large-scale phishing attacks orchestrated with an open-source adversary-in-the-middle (AiTM) phishing kit available in the cybercrime ecosystem

Adversary-in-the-middle (AiTM) phishing kits are becoming an essential technology in the cybercrime ecosystem that is used by multiple threat actors to launch phishing attacks. AiTM phishing allows threat actors to circumvent multifactor authentication (MFA) through reverse-proxy functionality.

In AiTM phishing, threat actors set up a proxy server between a target user and the website the user wishes to visit, which is the phishing site under the control of the attackers. The proxy server allows attackers to access the traffic and capture the target’s password and the session cookie. 

Microsoft is currently tracking a threat actor dubbed DEV-1101 who is providing development, support, and advertising of several AiTM phishing kits that are available for sale or rent in the cybercrime underground.

Since May 2022, DEV-1101 is offering an open-source kit that automates setting up and launching sophisticated phishing attacks. The phishing kit was continually enhanced in 2022, threat actors added the capability to manage campaigns from mobile devices and evasion features such as CAPTCHA pages.

The price for the tool was increased multiple times due to the rapid growth of its popularity in the cybercrime ecosystem from July through December 2022. As of this writing, the actor offers the tool for $300, with VIP licenses at $1,000. Legacy users were permitted to continue purchasing licenses at $200 prior to January 1, 2023.

The kit provides phishing pages mimicking popular services, including Microsoft Office or Outlook.

Microsoft warns of large-scale campaigns orchestrated through this phishing kit, millions of phishing emails per day were sent using this toolkit.

“Microsoft observed several high-volume phishing campaigns from various actors using the tool offered by DEV-1101, comprising millions of phishing emails per day. DEV-0928, an actor Microsoft has tracked since September 2022, is one of DEV-1101’s more prominent patrons and was observed launching a phishing campaign involving over one million emails.” reads the analysis published by Microsoft.

The report includes some examples of campaigns orchestrated through the DEV-1101 phishing kit, such as the case of a campaign launched by a threat actor tracked as DEV-0928.

The AiTM phishing attack chain commences with document-themed emails containing a link to a PDF document. Upon clicking the link the recipient is directed to a login page that masquerades as Microsoft’s sign-in portal. but not before urging the victim to complete a CAPTCHA step.

“The kit also allows threat actors to use CAPTCHA to evade detection. Inserting a CAPTCHA page into the phishing sequence could make it more difficult for automated systems to reach the final phishing page, while a human could easily click through to the next page.” Microsoft said.

Microsoft urges organizations to adopt authentication methods that cannot be bypassed with phishing attacks like the one described in the report. The recommended authentication methods include the use of FIDO2 security keys, Microsoft Authenticator, and certificate-based authentication.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DEV-1101 phishing kit)