KEEPNET LABS > Blog > AiTM Phishing Attack Targeting Enterprise Users of Microsoft & Gmail Email Services

AiTM Phishing Attack Targeting Enterprise Users of Microsoft & Gmail Email Services

Phishing attacks would have started in mid-July 2022 with a plan similar to a social engineering campaign. Threat actors place a proxy server between the target user’s website and the phishing website. Google Workspace users are also targets for threats behind a large-scale campaign.

AiTM Phishing Attack Targeting Enterprise Users of Microsoft & Gmail Email Services

An aitm-based phishing campaign targeting business users of Microsoft products such as email services. Even Google Workspace users are also targets for threats behind a large-scale campaign. Aitm phishing attacks refer to attacks in which threat actors place a proxy server between the target user’s website and the phishing website. Dec. A proxy server is located between the target website and the domain Decommissioned by the attackers. Attackers can access the traffic through a proxy server, which allows them to capture the password and cookies associated with the target and gain access to its data.

Zscaler researchers Sudeep Singh and Jagadiswar told Ramanukolan: “In this campaign, special attention was paid to executives and other senior employees of multinational companies who use Google Workspace as their primary means of communication.” Aitm phishing attacks would have started in mid-July 2022 with a plan similar to a social engineering campaign designed to pump Microsoft users’ credentials and even bypass multi-factor authentication. An email containing a malicious link is sent to the user who initiated the attack. Open the redirect as a result of using multiple routing steps through this link, the user’s Gmail phishing pages managed by an attacker using explicit routing are directed to the target domain. However, before the server presents a real phishing page to the client, there is an October step to make sure that the client is a real user viewing the web page instead of the system automatically performing the analysis. The attack chain consists of several components, all of which are interconnected. As for the attack vector, this campaign was using emails with embedded links, which were used to distribute malicious code.

It is specially designed to send these emails to the managers and senior employees of the organization, as well as to other target contacts. This turned out to be an email from Google reminding him that the password had expired and asking him to follow the link so that the recipient could expand the account.

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.