Adversary-in-the-Middle (AiTM) phishing attack: Key tactics and defense strategies
Phishing has been one of the most widely used techniques by cyber attackers to gain initial access to targeted networks. A new large-scale phishing campaign involving adversary-in-the-middle (AiTM) techniques has targeted more than 10,000 organizations since September 20211. Unlike traditional phishing attacks, this new and quite convenient tactic allows adversaries to operate without building their own phishing sites. In addition to stealing the victim’s password, Microsoft revealed that this phishing campaign is even capable of bypassing Multi-Factor Authentication (MFA).
What is an AiTM attack?
An AiTM attack typically involves a threat actor attempting to steal and intercept a target’s password and session cookies by deploying a proxy server between the user and the website. The attacker alters the communication between these two components and any data shared by the user first flows through the adversary before reaching the intended recipient. This allows the attacker to get authenticated to a session on the user’s behalf, regardless of the sign-in method used by the victim.
Rising threat of AiTM phishing attacks
The resurgence of AiTM attacks through phishing campaigns indicate towards the rapid evolution of cyber threats. Researchers have also observed a sharp increase in the use of advanced phishing attacks and custom phishing kits targeting specific industries and geographies. Here is a quick overview of how AiTM phishing attacks have gradually become a critical threat for organizations:
1. New phishing method bypasses MFA using Microsoft WebView2 apps
A creative new phishing method exploited Microsoft Edge WebView2 applications to collect authentication cookies from victims, enabling threat actors to log into stolen accounts without using multi-factor authentication. This new social engineering attack is called WebView2-cookie Stealer and consists of a WebView2 executable that, when launched, opens up a legitimate website’s login form directly in native apps. As WebView2 allows embedding a web browser with full support for HTML, CSS and JavaScript, any website loaded appears as if it opened up in Microsoft Edge. This functionality enables attackers to collect keystrokes, steal authentication cookies and then send them to a remote server.
2. Microsoft releases details about AiTM phishing campaigns
In July 2022, attackers targeted Office 365 users by spoofing the Office online webpage and deployed web server that proxies HTTP packets from the user to steal session cookies. Once authenticated, the payment fraud was carried out using Outlook to gain access to internal emails related to finances.
3. Spear-phishing and AiTM used to hack MS Office 365 accounts
Researchers discovered a new business email compromise (BEC) campaign that used sophisticated spear-phishing and adversary-in-the-middle (AiTM) tactics to compromise Microsoft 365 accounts for corporate executives, even those that were MFA-protected. The attackers utilized the evilginx2 proxy to steal the session cookie created by the Windows domain when a target enters their credentials and answers the MFA question.
In addition to these multiple incidents, security experts recently discovered a major security flaw that allows threat actors to access the authentication tokens and accounts with MFA enabled in the desktop version of Microsoft Teams.
The security analysts also observed that the “Cookies” folder contained account information, session data, marketing tags, valid login tokens, and more. One of the major concerns for security teams is that the information-stealer malware or the payload that is most frequently sent in advanced phishing campaigns, can take full advantage of such flaws.
Key tactics
After observing these large-scale phishing campaigns for over a year, many researchers took a deeper dive to understand the anatomy of these types of attacks, commonly used techniques, and post-breach activities. Here is a brief outline of the key tactics used by the attackers:
- Initial Attack Vector
To initiate contact with potential victims, attackers send HTML file attachments through emails to multiple recipients. Just a click on the attachment redirects the users to the site where they are asked to sign-in with their credentials. However, the attacker intercepts the shared credentials in the background and gets authenticated to the mailbox on the user’s behalf.
- Follow-up BEC
Once authenticated, the attacker gets free reign to perform follow-on activities like payment fraud. For this, the attacker starts accessing finance-related emails and file attachments in search of opportunities to commit fraud. Once the relevant email thread is found, the attacker proceeds to engage in conversations related to payments and invoices between two entities.
- Payment Fraud
To communicate with the targets and remain unnoticed from the original user of the compromised account, the attacker sets a rule for inbox to hide any replies from the fraud targets. After sending each response to new targets for few days, the attacker updates the inbox rule and deletes their replies from ‘Archives’ as well as from ‘Sent’ folders. After multiple such instances, the attacker gets successful in committing payment fraud manually. According to researchers, in few other cases, attackers may also use Outlook Web Access (OWA) on a Chrome browser to commit payment fraud.
Defending against AiTM phishing attacks
Threat actors have always tended to improve their attack techniques in response to the advanced security measures and policies that are used to defend organizations from potential threats. Over the year, AiTM and credential phishing techniques have been used in multiple attacks worldwide and the attackers are expected to come up with more evolved and sophisticated attacks in future as well.
Although the attempts made by attackers were successful in bypassing MFA in many instances, it still remains an essential security component to protect user identity. The MFA can be complimented with the following recommendations and best practices to prevent such attacks:
- Enable conditional access policies that are enforced every time an attacker attempts to use a stolen session cookie.
- Invest in advanced anti-phishing solutions to monitor incoming emails.
- Regularly monitor the network and systems for any suspicious activities such as unusual sign-in attempts or unknown inbox rules.
- Secure computing methods and avoid opening unknown attachments or installing software from unverified or suspicious
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.
References:
- https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/