Back to Basics
Adversary in the Middle (AiTM) attacks are advanced phishing attacks where user credentials cookies are compromised. The result of these next-generation attacks is MFA, or 2FA can be compromised. Multi-factor Authentication (MFA) and Two-factor Authentication (2FA) require an additional authentication source other than a password. Often the second authentication factor is a text message or an authentication app on the user’s cellphone. An AiTM attack can circumvent the MFA/2FA by caching the session and returning to the compromise through the session cookies. This method has recently become a popular attack vector for Microsoft 365’s email services.
“Note that this is not a vulnerability in MFA,” says Microsoft. “Since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.”
The phishing campaign begins in a typical way with an email asking users to log into a fake website that looks like a Microsoft 365 login page. The difference in these sites is they are proxies and pass the login on to Microsoft and relay the response back to the user. The use of a proxy is the first differentiation between a typical phishing attack and an AiTM attack. Usually, the attacker is trying to steal the login credentials. Instead, the proxy site steals the credentials and the session cookie, resulting in a compromise to the MFA session. The criminal can then continue to log into the user’s email multiple times through the session cookie without needing to provide MFA authentication.
Once hackers gain access to a business email, they use the accounts to ask clients for money or launch other attacks. Criminals have remained in email accounts for weeks and launched multiple attacks on the same cookie session. To avoid raising suspicion, attackers create inbox rules to archive response emails and automatically mark them as read.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.
