Threat actors targeting corporate executives have developed a new large-scale email phishing campaign using spear-phishing in tandem with Adversary-in-The-Middle (AiTM) tactics to compromise Microsoft 365 accounts. By gaining access to the accounts of top-level employees, such as CEOs and CFOs, attackers can surveil and control email communications - typically to divert transactions to their bank accounts.
Both M365 and Google Workspace users are targeted groups for this phishing campaign. Earlier in July, Microsoft described how Attackers use AiTM phishing sites to steal passwords and user sign-in sessions, as well as bypass multifactor authentication (MFA) without the need to create separate phishing sites. ThreatLabz researchers found that corporate users of Microsoft and Google’s email services are the main targets of the AiTM campaign; and uncovered many tactics and threats involving Microsoft executive email users.
Phishing emails that include a password reset link embedded in the text are the main distribution mechanism of AiTM. Attackers typically send these emails to senior members and chief executives of an organization. The emails are designed to impersonate Google and prompt users to click on the expiration link as shown below:
Once the link has been clicked, users are redirected to a page that is visually identical to the original authentication page; however, the page is a phishing site impersonating a company’s MFA login screen.
AiTM phishing campaign is a critical example of how security threats are continuously evolving alongside security and policy measures put in place by organizations to defend themselves. Although AiTM attempts to intercept MFA, it’s important to understand that MFA is still a highly effective security measure for stopping most threat actors. Organizations can enhance their MFA to resist phishing tactics by implementing solutions supporting FIDO and certificate-based authentication. Microsoft Defender can also be used to complement MFA by enabling conditional access policies, monitoring and scanning incoming emails, and hunting for sign-in attempts and unusual mailbox activities.
To stay up-to-date with AiTM, and similar security threats, subscribe to the TTT blog below or contact us for assistance.
Subscribe to the Trusted Tech Team Blog
Get the latest posts delivered right to your inbox