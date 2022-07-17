Microsoft has uncovered a large-scale phishing campaign using adversary-in-the-middle (AiTM) phishing sites, a type of phishing that has been largely unknown until now. Thanks to this strategy, the Redmond company saw that these attackers were stealing passwords, hijacking login information of a user and skipping the authentication process even if the user had enabled multi-factor authentication (MFA).





After this first step, the attackers used the stolen credentials and session cookies to access the emails of the affected users and carry out BEC or Business Email Compromise campaigns, for its acronym in English (that is, compromising commercial email against other targets). What is known so far is that the AiTM phishing campaign tried to attack more than 10,000 organizations since September 2021.

Microsoft sees that although multi-factor authentication came to market as a solution to security problems, as it offers an additional layer of security against credential theft, “attackers are also finding new ways to circumvent this security measure.”

How an AiTM phishing is carried out





In AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (ie the site the attacker wants to impersonate). This configuration allows the attacker to steal and intercept the password and session cookie that proves your current and authenticated session with the website.

Microsoft clarifies that “because AiTM phishing steals the session cookie, the attacker authenticates into a session on behalf of the userregardless of the login method you use”. In the following image an example of a “landing page” or page that is false where a user can enter their credentials and the creators of phishing can steal the information:





Microsoft says that to further protect themselves from similar attacks, organizations should consider complement the AMF with conditional access policiesin which login requests are evaluated using additional identity-based signals, such as user or group membership, IP location information, and device status, among others.

AiTM phishing is not new, as detailed by Microsoft, but it is very little known. Note that modern web services are implementing a session with a user after authentication so that the user doesn’t have to authenticate on every new page they visit. This session functionality is implemented through a session cookie provided by after initial authentication.

A session cookie stores information about the current session a user is in. As they explain from Ionos, for example, if you place several products in the cart in an online store, these will be saved until the session is closed. During it, other types of information are also stored, such as login details or pre-filled online forms. The session cookie is proof to the web server that the user has been authenticated and has an ongoing session on the website. In AiTM phishing, an attacker attempts to obtain a target user’s session cookie in order to bypass the entire authentication process and then be able to act on their behalf.

With this, the attacker deploys a proxy web server and the phishing portal displayed to the user is visually identical to the original website. The attacker also does not need to build his own phishing site as is done in conventional phishing campaigns. The URL is the only visible difference between the phishing site and the real one.