Microsoft has warned that a large-scale phishing campaign using "adversary-in-the-middle" or AiTM websites has hit more than 10,000 organizations since September 2021.
AiTM sounds like bad news as the phishing sites can skip authentication on sites even when the user has enabled multi-factor authentication (MFA). The attack involves hijacking a user's sign-in session, and using stolen credentials and session cookies to access victims' email for business email compromise (BEC) fraud.
AiTM phishing attacks involve deploying a proxy server between a target and the website the victim intends to visit. That site is impersonated by the attacker. MFA isn't broken per se but since the browser session cookie has been stolen, it doesn't matter how the user logged into a site – the attacker still gets authenticated thanks to the stolen cookie.
"Every modern web service implements a session with a user after successful authentication so that the user doesn't have to be authenticated at every new page they visit," Microsoft explains.
"This session functionality is implemented through a session cookie provided by an authentication service after initial authentication. The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website. In AiTM phishing, an attacker attempts to obtain a target user's session cookie so they can skip the whole authentication process and act on the latter's behalf."
In the attacks Microsoft highlights, the phishing site proxied the target's Azure Active Directory (Azure AD) sign-in page.
Once a victim enters their credentials and authenticates, they are redirected to the legitimate page. But during this process, the attacker intercepts the credentials and is also authenticated on the user's behalf.
The attacker's web server captures HTTP packets from the user when they visit the phishing site and sends that to the target server the attacker is impersonating.
As Microsoft details in a diagram, the phishing page has two different transport layer security (TLS) sessions: the first session with the targeted individual, and another session with the website the target wants to access.
"These sessions mean that the phishing page practically functions as an AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies. Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target's MFA is enabled," Microsoft notes.
Microsoft observed one campaign where the attackers sent emails with an HTML file attachment instructing them to open a voice message. This style of attack, a form of vishing or voice phishing, has been on the rise and used with LinkedIn and WhatsApp recorded messages.
After opening an attached HTML file, the file loads in the user's browser and displays a page informing them that the voice message is being downloaded. No MP3 file is being downloaded, but the attackers hardcoded a download progress bar in the file to make it appear one was being downloaded.