Microsoft Uncovers AiTM Phishing Campaign
In other cybersecurity news …
A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA), according to Microsoft. The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.
Based on Microsoft’s threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since last September.
In AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (that is, the site the attacker wishes to impersonate). Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA. Since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.
Erich Kron is KnowBe4‘s security awareness advocate.
“Attacks like this are becoming more common as organizations and individuals enable MFA on accounts in order to better secure them,” he said. “While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie, and because the session cookie shows that MFA was already used to login, the attackers can often circumvent the need for MFA when they log in to the account again later using the stolen password.”
Once an email account has been compromised, it’s easy for attackers to find ways to use the access against the victim, Kron said. From using that account to propagate scams against friends and family that have communicated to the victim through email, to using the account to reset passwords on other accounts, a lot of malicious things can be done with the access.
“To protect against the phishing emails that trick the victims into clicking on a link, organizations should train employees how to identify and report phishing, and should test them regularly with simulated phishing attacks that allow them to practice these skills,” he said. “In addition, educating users on how to identify fake login pages will greatly reduce the risk of giving up the credentials and session cookie.”
