GET DEMO
Back
GET DEMO
KEEPNET LABS > Blog > AiTM Phishing Attack Targeting Enterprise Users of Microsoft & Gmail Email Services

AiTM Phishing Attack Targeting Enterprise Users of Microsoft & Gmail Email Services

Phishing attacks would have started in mid-July 2022 with a plan similar to a social engineering campaign. Threat actors place a proxy server between the target user’s website and the phishing website. Google Workspace users are also targets for threats behind a large-scale campaign.

AiTM Phishing Attack Targeting Enterprise Users of Microsoft & Gmail Email Services

An aitm-based phishing campaign targeting business users of Microsoft products such as email services. Even Google Workspace users are also targets for threats behind a large-scale campaign. Aitm phishing attacks refer to attacks in which threat actors place a proxy server between the target user’s website and the phishing website. Dec. A proxy server is located between the target website and the domain Decommissioned by the attackers. Attackers can access the traffic through a proxy server, which allows them to capture the password and cookies associated with the target and gain access to its data.

Zscaler researchers Sudeep Singh and Jagadiswar told Ramanukolan: “In this campaign, special attention was paid to executives and other senior employees of multinational companies who use Google Workspace as their primary means of communication.” Aitm phishing attacks would have started in mid-July 2022 with a plan similar to a social engineering campaign designed to pump Microsoft users’ credentials and even bypass multi-factor authentication. An email containing a malicious link is sent to the user who initiated the attack. Open the redirect as a result of using multiple routing steps through this link, the user’s Gmail phishing pages managed by an attacker using explicit routing are directed to the target domain. However, before the server presents a real phishing page to the client, there is an October step to make sure that the client is a real user viewing the web page instead of the system automatically performing the analysis. The attack chain consists of several components, all of which are interconnected. As for the attack vector, this campaign was using emails with embedded links, which were used to distribute malicious code.

It is specially designed to send these emails to the managers and senior employees of the organization, as well as to other target contacts. This turned out to be an email from Google reminding him that the password had expired and asking him to follow the link so that the recipient could expand the account.

Keepnet Labs’ Threat Sharing Module: How to identify attackers in reconnaissance stage

Fewer and fewer businesses can protect themselves and the sensitive data under their control as a result of the rapid pace of digitalization, increased attack surfaces, and variety of vulnerabilities and attack methodologies. To stop the attacks, several successful and effective recent cyberattacks brought up the question of sharing threat intelligence once more. The government […]

The last hunt of social engineering: Uber

“Hi @here I announce I am a hacker and Uber has suffered a data breach” was the message that appeared in a channel on Uber’s Slack. After the message, the ride-share giant confirmed that it was responding to “a cybersecurity incident” in cooperation with law enforcement. An 18-year-old hacker reportedly took responsibility for the attack […]

Black Hat Fireside Chat: Deploying ‘AI’ as a weapon to win the ‘attack surface management’ war

An advanced weapon is emerging that uses data analysis to hone systems and suppress attacks. Darktrace's artificial intelligence solutions can help companies restrict access to APIs, neutralize shady IT, protect supply chains and even improve the efficiency of DEVSECOPYRIGHTs.

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.