HQ/EMEAFind out how we can help your business
Microsoft published an advisory on increasing AiTM attacks circulating the cybercriminal landscape. The advisory revealed that Adversary-in-the-Middle phishing techniques allow cybercriminals to execute extensive phishing campaigns that target large-scale organisations.
The threat actors’ phishing kits employ AiTM capabilities with two methods. The first approach includes reverse proxy servers, where the phishing page behaves like an intermediary between a targeted device and the legitimate website.
The technique allows the campaigns to capture the user’s login credentials, session cookies, and 2FA codes without detection. On the other hand, the second method adopts synchronous relay servers. The attackers use an impersonated sign-in page, like phishing attacks, to harvest information.
The main objective of these campaigns is to steal session cookies to enable hackers to acquire initial access to privileged systems without acquiring a second authentication. Moreover, the developers created AiTM session cookie theft capabilities to bypass MFA protocols.
Furthermore, unlike the standard phishing campaigns, these new AiTM incidents force the revocation of stolen session cookies.
Multiple threat groups have started adopting AiTM attacks in their cybercriminal operations.
A couple of months ago, Microsoft sent notifications about multiple threat groups that use AiTM attacks against banking and financial organisations after exploiting trusted vendor relationships to deploy financial fraud.
Storm-1167’s AiTM phishing kit has become the primary weapon for numerous threat groups. A particular incident launched over 16,000 emails to target contacts and added a new SMS-based 2FA tactic to bypass security detection.
A separate threat group called Storm-1295 is responsible for creating the Greatness PhaaS platform. The platform allowed other threat actors synchronous relay services.
The service enabled hackers to target business users of MS 365’s cloud service via seemingly legitimate decoy and login pages. The Greatness PhaaS platform has allegedly been operating since at least last year.
The recent advisory from Microsoft highlights the increasing threat of AiTM phishing operations within the PhaaS landscape. These abilities acquired by multiple threat actors have allowed them to execute sophisticated phishing campaigns in a broader scope and avoid MFA security protocols.
The cybercriminal groups have continued to upgrade their capabilities for attacking and bypassing securities. Organisations should implement more comprehensive cybersecurity capabilities to counter these threats.
