Thousands of Orgs Hit by Massive AiTM Phishing Campaign
Microsoft disclosed details this week
of a large-scale phishing campaign that has targeted more than 10,000 organizations since September 2021.
The report, issued by the Microsoft 365 Defender Research Team, provided a deep-dive analysis on a worldwide phishing campaign that leveraged adversary-in-the-middle (AiTM) phishing tools and techniques to target enterprises and orgs. Per the report:
A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.
AiTM phishing attacks work by creating a malicious proxy server between a Web site and a targeted user. Once a user visits the compromised site, attackers steal login credentials (user names and passwords) and session cookies connected to authenticated sessions. This stolen session cookie can render MFA meaningless, as the user had already confirmed their identity in an earlier session.
Microsoft tracked the activity of the AiTM campaign through Microsoft 365 and found that the unnamed group used the Evilginx2 phishing kit to target organizations with links (typically through e-mail) that send users to a malicious page that mimicked the main Office online authentication page.
In a common instance, a phishing e=mail would alert the user that they had a new voicemail. Once the malicious link was clicked, a browser window would open and show a fake status bar with a downloaded .MP3. Clicking on that would then launch the fake Office authentication page.
Once on the page, coding hooks on the back end would validate the victim's e-mail and auto-fill it into the visited page, adding legitimacy to the redirected site. After the user entered their credentials, the page would redirect to the real office.com page to add a level of legitimacy.
Microsoft said that the majority of observed actions involved financial fraud. The research team observed attempts by the attackers to access financial-related e-mails and access e-mailed attachments multiple times per day. They also took steps to hide their tracks by deleting the original phishing e-mail from the victim's inbox.
While the report said that Microsoft 365 Defender is capable of detecting these complex phishing techniques, an organization can add another level of protection to its Web site by coupling multifactor authentication with custom conditional access policies that look for identity markers, like IP location, device status and group membership.
Further, including additional security solutions for AiTM attacks is recommend. "Invest in advanced anti-phishing solutions that monitor and scan incoming emails and visited Web sites," read the report. "For example, organizations can leverage web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign."
Finally, educating end users on how to spot these phishing attempts will help decrease the rate in which these phishing attempts are successful. "Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services)," said Microsoft.