Photo: TheHackerNews – Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations

A few days ago, Microsoft made a publication warning its users about a massive man-in-the-middle attack with an attack range of more than 10,000 organizations, having started last year.  

This news sends a direct message to the defense of all other companies that rely on Microsoft services, in this case, 365 specifically. But before we continue with the explanation of the attack process employed and the tools used by the Microsoft 365 Defender Research Team, let’s first refresh the concept of adversary-in-the-middle to understand better the attack’s severity and how the attacker was able to acquire the information. 

An adversary-in-the-middle attack (o man-in-the-middle) is the unauthorized acquisition of information by intercepting the subject of the attack between two devices that are sharing a connection and thus transmitting data. The attacker’s presence can be hidden thanks to various tools that allow him to place himself right between the two devices to capture the information he is looking for or also due to the information he can receive by being inside the network and getting the different addresses of nearby computers and their connections (within the same network, it should be noted).  

Despite the complexity of the process for the attacker to position himself among the selected devices, different methods can be found by making a few clicks on the Internet, which should alert us to be prepared for the presence of these attacks and the possible increase of these. The purpose is, once positioned, that the attacker can obtain information that is being transmitted between these devices, either credentials of users belonging to specific programs, bank account numbers, sensitive personal information, financial data of other types, and to be able to impersonate the identity of one of these users. 

Now that we have an overview of the concept, we can continue with some of the recorded steps of the man-in-the-middle attack. 

Photo: TheHackerNews – Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations

The Microsoft 365 Defender Research Team, in its report, determined specific behavioral patterns of the attack: 

“The attacker sent emails with an HTML file attachment to multiple recipients in different organizations. The email message informed the target recipients that they had a voice message. When a recipient opened the attached HTML file, it was loaded in the user’s browser and displayed a page informing the user that the voice message was being downloaded.” 

In this part, the user’s email address would be Base64 encrypted and added to the redirection page to which the user was redirected once the “audio” download was finished, complying with a series of parameters within the code created to be able to store the email information that the website was receiving each time the users accessed (phishing technique to send such a web page by mail). Here they used the Evilginx 2 tool, according to the report. 

After receiving the emails from the users, the process to get the credentials consisted of a fake page related to Microsoft 365 services to log in, store them in session cookies, and later send the user to the legitimate page of the Microsoft 365 service. 

Once the session cookies were obtained, the attackers could bypass the authentication process (MFA – Multi-factor Authentication) to gain access to user data. 

“The following days after the cookie theft, the attacker accessed finance-related emails and file attachments files every few hours. They also searched for ongoing email threads where payment fraud would be feasible.” Mentions the team in the report. 

Awareness of Phishing Attacks

The attack had a broader reach in terms of the number of victims due to phishing emails being one of the most common cyber-attacks. Awareness of this type of technique is never too much. As we can see, it is necessary to keep abreast of the various forms of phishing that currently exist so that companies can continue to prepare their employees to prevent attacks like this from happening in the workplace. Of course, also knowing specific attack tools is not extra information; it is essential to know which tools can be used for this type of attack (MitM and phishing toolkits) and other similar ones, improving the security of web services and their applications, recognizing suspicious patterns that allow reacting in time if any of these scenarios are taking place.