Adversary in the middle (AiTM) is a phishing attack technique in which a proxy server is deployed between the victim and the website they are attempting to access. This allows for the attacker to be placed ‘in the middle’ of the victim and the target website, allowing the attacker to intercept and steal the victim’s credentials, and session cookies, for the target site. Because of the cookie theft, an authenticated session can be established without the need for a new multi-factor authentication (MFA) request, thereby circumventing this security control through a reverse-proxy functionality.
The threat actor tracked by Microsoft as DEV-1101 has been providing an open-source kit that enables malicious actors with lower skills to perform highly sophisticated AiTM phishing attacks. The attack kit, along with support services, have been around since May 2022, although some changes to enhance the capabilities of the attack kit such as CAPTCHA page evasion and mobile device compatibility have been made since it first became available. Microsoft’s Threat Intelligence Centre describe the users of these kits as having “varying motivations and targeting and might target any industry or sector”, making it important for administrators and security professionals to be aware of these tools and how to protect their networks against them.
The phishing kit offered by CEV-1101 consists of everything a malicious actor would need to perform an attack. It contains an application written in NodeJS, which has the PHP reverse-proxy capabilities, along with an automated setup system, detection evasion functionality through an antibot database, Telegram bots to manage the phishing activity, and pre-made phishing pages that impersonate widely used services such as Microsoft Office and Outlook. The use of Telegram bots to manage the phishing servers allowed attackers licensing this open-source attack kit to manage their campaigns from mobile devices, which increased the range of attackers capable of paying for and using their attack kit. A threat actor known to have used this phishing kit is tracked by Microsoft as DEV-0928, who performed a phishing campaign using this kit which involved over one million emails. Emails from a DEV-0928 campaign were used by Microsoft’s research team when investigating this phishing kit.
The attack begins with a malicious email being sent to the target, containing a message that implies a document in .pdf format is being shared with the target, and an ‘Open’ button that they can click. When this button is clicked, either an href is triggered to redirect the user to a benign page, or CAPTCHA evasion is carried out. When an href is triggered, this is done through the antibot functionality, and will allow the malicious actor using the phishing kit to specify the domain in the source code that they want to redirect the target to. By default, this is example.com. If the CAPTCHA evasion is triggered instead, this takes the user to a CAPTCHA page that requires interaction, and so automated systems do not reach the target phishing page, only human users. This was first introduced as a manual task for DEV-1101 developers to approve requests, however it has since then become a core functionality within the phishing kit.
After the victim has navigated through whichever evasion path the attacker has set up, they will land on the phishing page that impersonates a widely used site such as a Microsoft sign-in portal. The phishing page is hosted by the threat actors and is accessed through the reverse proxy setup. When the victim enters their real credentials into this fake page, the threat actor’s server will capture those credentials to steal them while also functioning as a proxy and sending the sign-in details to the legitimate sign-in service. When MFA is enabled on the victim’s user account, the proxy between the user and the sign-in service is maintained for long enough to complete the MFA sign-in, at which point the server captures the authenticated session cookie. The stolen cookies and credentials can then be used by the attackers to successfully sign in to the victim’s account, circumventing the MFA requirements.
While AiTM phishing attacks that bypass MFA have been around since 2022, the constant improvements to this open-source phishing kit mean it is a present and evolving threat. Securing the storage of account credentials, ensuring complex and unique passwords are used, and implementing MFA are all important security standards to follow, however in the case of these phishing attacks, all these security methods are circumvented. It is therefore important to complement these security procedures with additional solutions, such as conditional access policies, continuous access evaluations and Security Awareness Training. These security polices can help flag a suspicious sign-in event and block attackers from being able to use the stolen session cookies due to the unrecognised device or IP address being used by the attacker during their sign-in attempt.
Endpoint protection software can be configured to detect suspicious activities that are related to AiTM phishing attacks. Making sure the software you use is able to detect the stealing of session cookies, and then their later attempted use to sign in for a pre-authenticated session, can give an immediate warning to the SOC team that an attack has taken place so that it can be remediated as soon as possible. Location, ISP, user agent, and the use of anonymiser services can all be indicators of an attacker’s attempted sign in rather than a legitimate user attempt. Specific anti-phishing solutions are also available which can scan emails and websites visited to detect and block malicious emails, sites, and links across the network.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)