Person using Multi Factor authentication to log into site

New AiTM Phishing Attack That Bypasses MFA Sets Sights On Microsoft Email Users

Researchers at cybersecurity firm Zscaler’s ThreatLabz have found a new, widespread phishing attack using the “Adversary in The Middle” AiTM strategy, that targets users of Microsoft email. These attackers use this strategy and other denial methods to bypass multifactor authentication (MFA) security.

Targeting organisations in the US, UK, New Zealand, and Australia that deal with finance, insurance, accountancy, lending, and credit unions, the campaign is heavily geared towards immediate money theft. Corporate customers, especially end users in enterprise setups that use Microsoft email services, are the campaign’s primary targets.

Microsoft published information about a similar attack that targeted more than 10,000 organisations and used the AiTM technique to bypass MFA early in July.

The AiTM approach places an attacker in the middle of the authentication process between the client and server to intercept the exchange and steal credentials, which results in the theft of MFA information. In short, the third-party acts as both the client and the server for the actual affected parties.

Phishing attack using AI and associated BEC
Phishing attack using AI and associated BEC (Microsoft)

The attack has a high level of complexity, according to Zscaler experts. They think the campaign’s goal is to hack into corporate accounts to conduct BEC (business email compromise) attacks and transfer money to accounts under their control using fake credentials.

Using AITM technique

In June 2022, researchers saw an increase in sophisticated phishing attacks that were directed at certain industries and Microsoft email service customers. The victim in each of these phishing attacks first received a malicious link in an email.

Everything depends on how people respond to these phishing emails and engage with them. Malicious emails may link directly to a phishing domain or include HTML attachments with the link. In either case, the user must activate the link to begin the attack chain.

The researchers found that cybercriminals had registered a number of new domains that were typosquatted copies of authentic American Federal Community Banks in the United States. Notably, many of the phishing emails were from executives working for these firms, whose accounts the malicious actors had most likely already compromised.

The campaign employs several different redirection strategies. To host the URL redirection code, for example, the attackers use Google Ads-hosted Open Redirect sites and online code editing services like CodeSandbox, Glitch, and CodeSandbox.

JavaScript uses the victim’s fingerprint to identify whether they are accessing the phishing website from a virtual computer or a real device. This makes sure that the phishing website is only displayed to those who are likely to fall for the scam rather than security software or researchers who could be using virtual computers to conduct their investigations.

Threat actors bypass MFA by using the AITM method. With the use of the personalised proxy-based phishing kit, attackers may set up a proxy between the target’s device and the mail server they are using to make requests. To use the email service without having to sign in again or finish the sign-in procedure using MFA, it is gathering session cookies created throughout the process.

According to the researchers:

Multifactor authentication (MFA) and other security measures give an additional degree of protection, but they shouldn’t be seen as a complete defence against phishing attacks. Threat actors can get through both conventional and cutting-edge security measures with the help of sophisticated phishing kits (AiTM) and obfuscation strategies.

The complexity of phishing attacks does increase with time, but they always have the requirement for user interaction as a fundamental element. Only a small percentage of users have the required knowledge to assess emails to determine whether the sender is trustworthy.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts