Man in the middle attack: More than 10,000 organizations affected by large-scale AiTM attack 

by | Jul 15, 2022

Photo: TheHackerNews – Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations


A few days ago, Microsoft made a publication warning its users about a massive man-in-the-middle attack with an attack range of more than 10,000 organizations, having started last year.  

This news sends a direct message to the defense of all other companies that rely on Microsoft services, in this case, 365 specifically. But before we continue with the explanation of the attack process employed and the tools used by the Microsoft 365 Defender Research Team, let’s first refresh the concept of adversary-in-the-middle to understand better the attack’s severity and how the attacker was able to acquire the information. 


What is a man in the middle attack?


An adversary-in-the-middle attack (o man-in-the-middle) is the unauthorized acquisition of information by intercepting the subject of the attack between two devices that are sharing a connection and thus transmitting data. The attacker’s presence can be hidden thanks to various tools that allow him to place himself right between the two devices to capture the information he is looking for or also due to the information he can receive by being inside the network and getting the different addresses of nearby computers and their connections (within the same network, it should be noted).  

Despite the complexity of the process for the attacker to position himself among the selected devices, different methods can be found by making a few clicks on the Internet, which should alert us to be prepared for the presence of these attacks and the possible increase of these. The purpose is, once positioned, that the attacker can obtain information that is being transmitted between these devices, either credentials of users belonging to specific programs, bank account numbers, sensitive personal information, financial data of other types, and to be able to impersonate the identity of one of these users. 


How does a man in the middle attack work?


Now that we have an overview of the concept, we can continue with some of the recorded steps of the man-in-the-middle attack. 

Photo: TheHackerNews – Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations


The Microsoft 365 Defender Research Team, in its report, determined specific behavioral patterns of the attack: 

“The attacker sent emails with an HTML file attachment to multiple recipients in different organizations. The email message informed the target recipients that they had a voice message. When a recipient opened the attached HTML file, it was loaded in the user’s browser and displayed a page informing the user that the voice message was being downloaded.” 

In this part, the user’s email address would be Base64 encrypted and added to the redirection page to which the user was redirected once the “audio” download was finished, complying with a series of parameters within the code created to be able to store the email information that the website was receiving each time the users accessed (phishing technique to send such a web page by mail). Here they used the Evilginx 2 tool, according to the report. 

After receiving the emails from the users, the process to get the credentials consisted of a fake page related to Microsoft 365 services to log in, store them in session cookies, and later send the user to the legitimate page of the Microsoft 365 service. 

Once the session cookies were obtained, the attackers could bypass the authentication process (MFA – Multi-factor Authentication) to gain access to user data. 

“The following days after the cookie theft, the attacker accessed finance-related emails and file attachments files every few hours. They also searched for ongoing email threads where payment fraud would be feasible.” Mentions the team in the report. 


What are the risks of a man-in-the-middle attack?


The risks of a man-in-the-middle attack are numerous and severe. For one, the attacker can steal sensitive information such as login credentials, financial information, and personal data. The perpetrator can use this information for identity theft, fraud, or even blackmail. In some cases, the attacker may even gain control of the victim’s device or network, allowing them to cause further damage.

Another risk of a MITM attack is the potential for data manipulation. The attacker can modify the information transmitted between the two parties, leading to incorrect or misleading information. This can be especially dangerous in situations such as financial transactions, where even a small change in data can have significant consequences.

Furthermore, a MITM attack can be used as a gateway for other attacks. For example, the attacker may use the intercepted information to launch a phishing attack, which can result in even further damage.

In conclusion, the risks of a man-in-the-middle attack are significant and should not be taken lightly. It is crucial to take preventative measures such as using secure networks, encrypting sensitive data, and being vigilant for suspicious activity. By doing so, you can protect yourself from the potential consequences of a MITM attack and keep your sensitive information safe.


How can I protect myself from a man-in-the-middle attack?


There are steps you can take to protect yourself from a MITM attack.

Firstly, always ensure that you are using a secure network. Avoid using public Wi-Fi networks as they are more susceptible to MITM attacks. If you need a public network, use a Virtual Private Network (VPN) to encrypt your data and protect yourself from potential attackers.

Secondly, ensure you are visiting websites with a valid SSL certificate. A website with a valid SSL certificate encrypts your data before transmitting it to the server, making it impossible for attackers to intercept and steal it.

Thirdly, keep your software up-to-date. Attackers often exploit vulnerabilities in outdated software to launch MITM attacks. By keeping your software up-to-date, you are closing any loopholes that attackers can use to steal your data.

Lastly, be careful of phishing scams. Attackers often use phishing scams to trick you into giving away your personal information. Always verify the source of the email or message before clicking on any links or downloading any files.

In conclusion, protecting yourself from a MITM attack requires awareness and diligence. Following these steps can significantly reduce the risk of falling victim to such attacks and keep your personal information safe and secure.


What types of data can be stolen during a man in the middle attack?

Login credentials, such as usernames and passwords, are commonly targeted during MITM attacks. This is because they can provide access to a wide range of systems and applications, including email, social media, and online banking. Once a hacker has access to these credentials, they can use them to gain unauthorized access to the victim’s accounts, steal sensitive information, or launch further attacks.

Financial information, such as bank account numbers, credit card numbers, and other payment information, is also a prime target for MITM attackers. The perpetrator can use this information to make unauthorized purchases, transfer funds, or steal the victim’s identity. In some cases, attackers may also use this information to blackmail or extort their victims.

PII, such as social security numbers, driver’s license numbers, and other personal information, is also at risk during MITM attacks. This information can be used for identity theft or malicious purposes, such as opening new credit accounts or applying for loans.

Finally, sensitive business data, such as trade secrets, intellectual property, and confidential customer information, is also a target for MITM attackers. This information can be used to gain a competitive advantage, launch further attacks, or sell to third parties on the dark web.


Awareness of Phishing Attacks

The attack had a broader reach in terms of the number of victims due to phishing emails being one of the most common cyber-attacks. Awareness of this type of technique is never too much. As we can see, it is necessary to keep abreast of the various forms of phishing that currently exist so that companies can continue to prepare their employees to prevent attacks like this from happening in the workplace. Of course, also knowing specific attack tools is not extra information; it is essential to know which tools can be used for this type of attack (MitM and phishing toolkits) and other similar ones, improving the security of web services and their applications, recognizing suspicious patterns that allow reacting in time if any of these scenarios are taking place. 

Are you interested in learning cybersecurity?