10,000 organizations since September 2021 have been hit by a massive phishing campaign that stole victims’ passwords, bypassed the MFA.
To do this, the attackers used a tactic known as Adversary-in-the-Middle (AiTM).
In a previous article we discussed the phishing technique, this time let’s look at a specific AiTM technique.
Phishing AITM
What is AiTM?
This is a new and even more effective phishing technique.
This method uses spoofed websites that deploy a proxy server between a target user and the website the user wants to visit.
The attacker can steal and intercept the victim’s password, hijack login sessions and the session cookie (a cookie authenticates a user every time he visits a site) and ignore the authentication process, because AiTM phishing is not related to a vulnerability in multi-factor authentication.
Campaign
It all started with an email lure informing the recipient that they should take a voice message. The attackers then spoofed the Office online authentication page (the proxy website was the organization’s Azure Active Directory login page) in order to steal session cookies.
This way the cybercriminal is in possession of the credentials and session cookies, and can identify themselves while ignoring the authentication process, even if MFA is enabled. This method allows them to access mailboxes, which becomes a royal road for business email attacks (BEC).
The originality of this technique is that the cybercriminals did not use a phishing site.
What solutions?
This attack strategy can be countered by solutions such as:
- Anti-Phishing and antivirus solutions that detect session cookie theft.
TEHTRIS and its partner Proofpoint are working to make browsing safer by connecting Email Protection (EP) and Targeted Attack Protection (TAP) solutions
We strengthen customer protection with threat detection and response from email to the endpoint.
TEHTRIS DNSF, TEHTRIS MTD and EPP block malicious domains
It is therefore advisable to add an extra layer of security:
- On workstations with the Antiphishing module of EPP: to detect the click on a malicious URL.
- On mobiles, with MTD, which will analyze network traffic and detect browsing on potentially malicious sites
It is also possible to complement this with a DNSF placed at strategic locations in order to control the network connections of different machines and block malicious requests.
- Finally, it is important for defense teams to be able to rely on artificial intelligence and UEBA analysis.
TEHTRIS CYBERIA is a global and collective Artificial Intelligence module that aims at improving the detection of threats
Behavioral analysis has an anticipatory action because it will allow to identify as soon as possible a possible threat.