AiTM Phishing Bypass MFA to Enable BEC Attack: Protect Your Organization
Learn about the rising threat of Adversary-in-the-Middle (AiTM) phishing attacks, which bypass MFA to compromise business email systems. Find out how to protect your organization from this and other evolving phishing threats with best practices and proactive security awareness.
2024-01-17
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Adversary-in-the-Middle Phishing and MFA Bypass: The Latest Threat to Business Email Security
In an alarming discovery by the Microsoft Threat Intelligence Center (MSTIC), a new phishing campaign utilizing the Adversary-in-the-Middle (AiTM) technique has been identified, threatening business email security. This attack leverages phishing sites to hijack users' sign-in sessions and enables attackers to steal passwords and bypass multifactor authentication (MFA). With stolen credentials and session cookies, attackers gain access to user mailboxes, launching business email compromise (BEC) attacks that appear legitimate.
The scale of this attack is substantial, affecting over 10,000 organizations since 2021, underscoring that phishing remains a prevalent and evolving threat that requires updated strategies and defenses. Here's an in-depth look at AiTM phishing, its mechanisms, and how your organization can protect itself.
Understanding AiTM Phishing Attacks
In the cybersecurity world, many are familiar with the term “man-in-the-middle” (MitM) attacks. However, Adversary-in-the-Middle (AiTM) phishing is an advanced technique specifically targeting email credentials. By impersonating a website the target user intends to visit, attackers insert a proxy server between the user and the legitimate site. When the user accesses this phishing site, the attacker captures both the session cookie and credentials, enabling them to continue a session without further MFA requirements.
How AiTM Works to Bypass MFA
This attack doesn't exploit a flaw within MFA itself. Instead, it leverages stolen session cookies from the authenticated session to bypass MFA requirements. Here’s a step-by-step breakdown:
- Phishing Email: The target receives a phishing email with a link to a malicious AiTM page.
- Redirect to AiTM Page: Once the target clicks, they’re redirected to a phishing page, which appears legitimate but serves as a middle point for the attacker.
- Stealing Session Cookies: Upon entering credentials, the session cookie is captured by the attacker.
- Bypassing MFA: Using the session cookie, the attacker can access the target's account without going through MFA.
This approach allows the attacker to gain authenticated access to an organization’s email system and initiate a business email compromise (BEC), a common attack tactic that deceives users with convincing, legitimate-looking messages.
AiTM Attack Strategies: HTML File Attachment With a ‘Voice Message’
Microsoft’s research highlighted that attackers often use HTML attachments disguised as “voice messages” to lure users into clicking. Using the Evilginx2 phishing toolkit as part of the AiTM setup, the attackers targeted Office 365 authentication pages. By capturing session cookies, attackers bypassed MFA, demonstrating that even advanced authentication protocols need layered protection against well-planned phishing attacks.
The Rising Threat of Phishing in Business Email Attacks
Phishing continues to dominate the landscape of cyberattacks:
- Reports of phishing doubled in 2020, and this trend has persisted.
- Phishing remains the most common type of malicious email observed by Microsoft’s threat detection team.
The persistence of phishing illustrates why every organization should implement security awareness training and adopt multiple security layers to protect email systems and mitigate potential risks from evolving threats.
How to Protect Your Organization from AiTM Phishing Attacks
AiTM phishing campaigns make it clear that MFA alone isn’t enough to safeguard systems. Organizations can build resilience by incorporating conditional access policies with a focus on identity-driven signals and ensuring that employees are well-prepared to detect phishing attempts.
Recommended Steps to Prevent AiTM Phishing Attacks
- Conditional Access Policies: MFA should be paired with additional security policies that account for:
- User or Group Membership: Prioritize high-level access control for sensitive user groups.
- IP Location Information: Restrict access based on known and trusted IP addresses.
- Device Status: Allow access only from secure and recognized devices.
By employing conditional access policies, organizations can limit access based on multiple parameters, adding another layer of protection beyond MFA.
2. Security Awareness Training: Equip employees with the knowledge to recognize phishing emails, especially those involving attachments or prompts related to authentication. Educating users about tactics like AiTM phishing can be one of the most effective ways to minimize exposure.
Invest in security awareness training to empower employees to recognize and report phishing attempts. With training, users can better identify suspicious emails and learn about the tactics attackers use, including AiTM.
3.Use Phishing Simulations: Regular phishing simulations can prepare employees to respond appropriately to phishing emails. Phishing simulators help evaluate employee responses and provide practical insights for improvement.
4.Implement Human Risk Management: Incorporate a comprehensive approach to manage human vulnerabilities within your organization. The Keepnet Human Risk Management Platform offers solutions to identify risky behaviors, enhance employee training, and protect against potential insider threats.
5.Regularly Monitor and Update Security Protocols: Stay up to date with the latest security protocols and monitor for new vulnerabilities, including those targeting authentication mechanisms.
6.Use AI-Driven Email Security: Consider AI-based email filtering and analysis tools that can detect and flag suspicious email patterns. AI-based filters are adept at recognizing abnormal email behavior and can prevent phishing emails from reaching inboxes.
Closing the Door to AiTM Phishing Attacks: A Layered Approach
The latest AiTM-enabled BEC campaigns remind us that phishing remains a preferred tactic for cybercriminals, largely because it exploits human trust. As seen, even advanced security measures like MFA can be bypassed by AiTM tactics, emphasizing the need for multifaceted security strategies.
To stay ahead, organizations must blend conditional access, regular security awareness training, and phishing simulations to fortify their email systems. With these practices, your organization will be better prepared to recognize, intercept, and respond to phishing threats that seek to compromise sensitive data and infiltrate company systems.
Editor’s note: This blog was updated November 8, 2024
SHARE ON