Microsoft noticed a big phishing campaign that secondhand adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and bypass the authentication process even when the victim has enabled the MFA.In AiTM phishing, warning stars start a proxy attendant betwixt a aim consumer and the site the user wishes to visit, that is the phishing spot under the control of the attackers. The agent attendant admits attackers to access the traffic and capture the mark’s identification and the gathering wafer. Once acquired the credentials and meeting wafers to approach consumers’ mailboxes, danger actors started trade electronic mail compromise (BEC) campaigns against different targets. Microsoft specialists trust that the AiTM phishing campaign was used to mark as well 10,000 arrangements since September 2021




The landing pages used in this campaign were designed to target Office 365 authentication process by posing as the Office online authentication runner. Microsoft experimenters noticed that the drivers behind this campaign use the Evilginx2 phishing tackle as their AiTM structure. In some of the attacks observed by the experts, threat actors used phishing emails with an HTML train attachment. In order to trick victims into opening the attachment, the message informed the recipients that they had a voice message.


“This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable” reads the analysis published by Microsoft. “By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.”




Once the Hackers have captured the session cookie, they've fitted it into their cybersurfer to skip the authentication process, indeed if the recipient enabled the MFA for his account. Microsoft recommends association to borrow MFA implementation “ phish- resistant ” by using results that support Fast ID Online( FIDO) v2.0 and certificate- based authentication. Microsoft also recommends enabling tentative access programs every time an Hackers attempts to use a stolen session cookie, and covering for suspicious or anomalous activities, similar as sign- in attempts with suspicious characteristics and unusual mailbox activities. 

"This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks.” concludes the report. “While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place."


-Prameet