Microsoft issued a blog on attackers using AiTM (adversary-in-the-middle) phishing sites as entry points to steal passwords and hijack users sign-in sessions. Then, using credentials and session cookies, attackers infected the users’ mailboxes and ran Business email compromise (BEC) campaigns on other targets.
This campaign is interesting because it outlines the creative approaches attackers will take to steal identities and the resultant domino effect once they have breached a network. Business Email Compromise, the endgame in this attack, has been used historically to siphon hundreds of thousands of dollars from single organizations. If, as Microsoft states, there were 10,000 targets – that is a potentially huge return from compromised credentials. While AiTM is not a new approach – obtaining the session cookie after authentication shows how attackers have had to evolve and take steps to try and sidestep MFA, which they hate. In addition to the steps outlined by Microsoft – an organization could also defeat this attack by sending the legitimate user a location with the MFA request. This would defeat the problem posed by proxy servers, which would be in a different location, and ensure a more secure authentication process.