How AITM-Based Phishing Campaigns Target Microsoft and Google Workspace Users
AITM phishing campaigns are on the rise, targeting Microsoft and Google Workspace users. Discover how attackers capture credentials and bypass multi-factor authentication by using sophisticated techniques aimed specifically at business executives and senior employees.
2024-01-19
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
How AITM Phishing Campaigns Target Microsoft and Google Workspace Users
In recent years, AITM-based phishing campaigns (Attacker-in-the-Middle) have emerged as a powerful tool for threat actors, allowing them to target business users of platforms like Microsoft 365 and Google Workspace. These campaigns are designed to capture credentials and bypass security measures such as multi-factor authentication (MFA), posing a serious risk to business executives and senior employees, especially those at multinational organizations.
What Is an AITM Phishing Attack?
An AITM phishing attack uses a proxy server that sits between a legitimate website and a phishing site, capturing the user’s credentials, session cookies, and other sensitive information in real time. This setup allows the attacker to gain access to the user's account as if they were the legitimate user themselves.
In an AITM attack, the proxy server acts as a “middleman” that intercepts communication between the user and the target website. When the user enters their login credentials on the phishing page, they are actually submitting them to the attacker-controlled proxy, which then forwards them to the legitimate website, allowing the attacker to capture passwords and session cookies.
- Credential Capture: Attackers can obtain passwords and use them to gain unauthorized access.
- MFA Bypass: Because the attacker captures the session cookies, they can bypass MFA protections and continue to access accounts as if they were the legitimate user.
Recent Campaigns Targeting Microsoft and Google Workspace Users
A large-scale AITM campaign, uncovered by Zscaler researchers, has targeted business users of Microsoft 365 and Google Workspace, with a specific focus on senior executives and key employees. The campaign is notable for its intricate social engineering techniques and multi-step redirection paths designed to confuse traditional detection systems and convince victims to interact with the phishing site.
The attackers crafted emails that looked like legitimate notifications from Google or Microsoft, often citing issues like password expiration or account security alerts. For example, users received an email, supposedly from Google, reminding them that their password was about to expire, urging them to follow a link to update their credentials.
How the AITM Attack Works
The AITM attack chain involves several components working together to trap unsuspecting users:
- Phishing Email: The initial email appears to come from a legitimate source, often urging the user to take immediate action on their account. Links within the email lead to a phishing site.
- Multiple Redirects: The link in the phishing email is designed to pass through multiple routing points. This tactic can hide the destination URL, making it difficult for security filters to identify the link as malicious.
- Target Verification Step: Once the user reaches the phishing site, the attackers verify whether they are a genuine user or an automated security system. This step prevents automated tools from detecting the phishing attempt prematurely.
- Credential Capture via Proxy Server: When the user enters their credentials, they are submitted to the proxy server, which immediately forwards them to the legitimate website. The user remains unaware that their details are intercepted by an attacker.
- Session Cookie Capture: Once the attacker captures the user’s session cookies, they can bypass MFA and access the account as if they were the legitimate user.
By capturing both the password and session cookies in real time, the attacker can maintain persistent access to the user’s account. Even if the user changes their password, the session remains active, enabling the attacker to continue operating undetected.
Why Executives and Senior Employees Are Primary Targets
Executives and senior employees have access to some of the most sensitive information within an organization. The attackers in these AITM campaigns have specifically crafted their phishing lures to target this group. Here's why:
- Access to Sensitive Data: Executives often have privileged access to company-wide information, making them valuable targets.
- Limited Time and High Trust: Executives may be more susceptible to well-crafted social engineering due to their busy schedules and the implicit trust placed in internal communications.
- Impact on Decision-Making: An attacker who gains access to an executive’s email can influence or intercept critical business decisions, posing a risk to the entire organization.
Protecting Against AITM Phishing Campaigns
Since AITM phishing attacks can bypass traditional security measures like MFA, it’s essential to implement additional security protocols. Here are some strategies that can help mitigate the risk:
1. Use Security Awareness Training
Security awareness training is essential for educating users, especially executives, about the latest phishing tactics. A comprehensive training program should include simulated phishing attacks, such as those provided by a Phishing Simulator, which can help employees recognize sophisticated threats and respond appropriately.
2. Implement Advanced Threat Detection Tools
Advanced tools like email threat simulators and incident responders are critical in detecting malicious links and phishing attempts that evade traditional filters. Organizations can leverage the Keepnet Human Risk Management Platform to deploy these tools and monitor user behavior, reducing the risk of successful attacks.
3. Strengthen Email Security Filters
Using advanced email security filters can help identify and block phishing emails before they reach users. For example, email incident response tools can help quickly respond to threats and identify compromised accounts before attackers gain full access.
4. Monitor for Suspicious Activity
Regular monitoring for unusual login locations, IP addresses, and login times can help detect when an account has been compromised. Real-time alerts and the use of multi-factor authentication (MFA) tokens are critical in identifying unauthorized access.
5. Encourage Use of Browser Isolation
Browser isolation tools prevent users from interacting with phishing sites by opening suspicious links in a secure environment. This reduces the likelihood of AITM attacks, as these tools prevent the proxy server from capturing user credentials and session data.
In an era of rapidly evolving phishing techniques, AITM phishing attacks represent a sophisticated and dangerous form of credential theft. As these campaigns continue to target business users on Microsoft 365 and Google Workspace, awareness and vigilance are essential. By implementing security awareness training, deploying advanced threat detection tools, and enforcing strict security protocols, organizations can reduce the risk of falling victim to these advanced phishing tactics.
Editor's Note: This blog was updated on November 18, 2024.
SHARE ON