A new large-scale phishing campaign using adversary-in-the-middle (AitM) techniques to bypass security protections and compromise company email accounts has been observed.
“It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication,” Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a report on Tuesday. “The campaign is specifically designed to reach business end users who use Microsoft email services.”
Featured targets include fintech, lending, insurance, energy, manufacturing, and federal credit unions located in the US, UK, New Zealand, and Australia.
This is not the first time such a phishing attack has come to light. Last month, Microsoft revealed that as of September 2021, more than 10,000 organizations had been attacked using AitM techniques to breach accounts protected with multi-factor authentication (MFA).
The ongoing campaign, starting in June 2022, begins with an invoice-themed email sent to targets that contains an HTML attachment, which includes an embedded phishing URL.
Opening the attachment through a web browser redirects the recipient of the email to the phishing page that masquerades as a Microsoft Office login page, but not before the machine is fingerprinted compromised to determine if the victim is really the intended target.
AitM phishing attacks go beyond traditional phishing approaches designed to plunder credentials from unwitting users, particularly in scenarios where MFA is enabled, a security barrier that prevents the attacker from logging into the account with credentials alone. stolen.
To circumvent this, the rogue landing page developed using a phishing kit works as a proxy that captures and transmits all communication between the client (ie the victim) and the email server.
“The kits intercept HTML content received from Microsoft servers, and before relaying it to the victim, the kit manipulates the content in various ways as necessary to ensure that the phishing process works,” the researchers said.
This also involves replacing all links to Microsoft domains with equivalent links to the phishing domain to ensure round-trip remains intact with the phishing website throughout the session.
Zscaler said he observed the attacker manually log into the account eight minutes after the credential theft, following it by reading emails and verifying user profile information.
Additionally, in some cases, hacked email inboxes are later used to send additional phishing emails as part of the same business email compromise (BEC) scam campaign.
“Although security features like multi-factor authentication (MFA) add an extra layer of security, they should not be considered a silver bullet to protect against phishing attacks,” the researchers noted.
“Using advanced phishing kits (AiTM) and intelligent evasion techniques, threat actors can bypass both traditional and advanced security solutions.”