KEEPNET LABS > Blog > What is AiTM Phishing and How is It Used in BEC?

What is AiTM Phishing and How is It Used in BEC?

Microsoft announced that its Microsoft Threat Intelligence Center (MSTIC) has uncovered a fresh phishing scheme that used the adversary-in-the-middle (AiTM) technique to corrupt business emails (BEC).

Microsoft has released that Microsoft Threat Intelligence Center (MSTIC) discovered a new phishing campaign in which adversary-in-the-middle (AiTM) method was employed to execute business email compromise (BEC). In an extensive phishing campaign, attackers are able to take advantage of AiTM phishing sites to hijack a user’s sign-in session and steal passwords.

One of the worst parts of the attack is found to be that the attackers can also skip the authentication process which means even if the user activates multifactor authentication (MFA) it has nothing to do to prevent the attack.

Stealing password and other private information did not suffice the attackers and this is the first phase of the attack plan. With stolen credentials and session cookies, they get the control of the users’ mailboxes and conduct BEC, definitely one of the cyber nightmares of the organizations. Therefore, they expand their attack while reaching out to other users with malicious emails that hardly raise suspicion of being a harmful activity.

AiTM phishing page has a critical role to play in the entire attack scheme. When the user is deceived with a phishing email, the email redirects him to a page with which he opens the AiTM page. That is the part of the attack that the credentials and essential information are stolen. After this turning point, the attacker who bypassed MFA can proceed to operate the BEC.

According to Microsoft, more than 10,000 organizations since September 2021 have been targeted by the AiTM phishing campaign.

How AiTM Phishing Works?

The cyber security community is familiar with the term of man-in-the middle attacks. However, AiTM, Adversary in the middle, is relatively a new phenomenon. In AiTM the phishing sites are created by the adversary by impersonating the web sites a target user wants to visit. This site’s proxy server is deployed between the target and the real website. When the user accesses the phishing website, the attacker can get the cookies and the credentials. The session cookie is as critical as the password because it enables the attacker to continue the session on behalf of the target without any MFA requirements.

It is important to note that this attack occurs not because of a security vulnerability in the MFA system. Regardless of the sign-in method the user had, the attacker can proceed the authenticated session with stolen session cookies.

HTML File Attachment with a ‘voice message’

In the attacks Microsoft discovered, the Office online authentication page, as a landing page, was used to target the Office 365 authentication process. Microsoft research on the campaign also concludes that Evilginx2 phishing kit was employed as the AiTM infrastructure. It is also revealed that phishing emails with an HTML file attachment were also used by the threat actors to deceive the target by telling them they had a voice message.


How To Protect from AiTM Attacks?


The organizations are advised to complement MFA with conditional access policies where sign-in requests are evaluated using additional identity-driven signals including:

  • User or group membership,
  • IP location information,
  • Device status etc.

The latest AiTM enabled BEC campaign has one more time confirmed that phishing remains to be one of the most common techniques attackers use.


Reports of phishing attacks doubled in 2020, and phishing is the most common type of malicious email observed in Microsoft’s threat signals.


Security awareness training has been the most effective measure to close down the gates of your system to the attackers. As it was observed in the recent campaign even the MFA can be non-functional in protecting the systems against the threat actors attempting to intrude into your network.

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.