A large-scale phishing attack campaign has emerged using adversary-in-the-middle (AiTM) to steal credentials and circumvent multi-factor authentication (MFA) needs. Microsoft have released a security blog post regarding the use of these phishing attacks and the impersonation of Microsoft Azure Active Directory (Azure AD) login pages. This campaign has reportedly targeted over 10,000 organisations in the last 10 months, and phishing attacks in general remain the most common forms of cyber-attack, reported last month as making up 56% of all reported cyber-crime. 

As with many other phishing attacks, initial access is obtained by the attackers through a malicious email, with a link to a HTML file attachment. This attachment impersonates an MP3 file, claiming to be a voicemail sent by Microsoft. Clicking the attachment feigns a download of this ‘voicemail’, but the download bar is actually a part of the HTML code, and no download is occurring. Instead, the victim is then redirected to a phishing page which impersonates a Microsoft Azure AD login. The only noticeable difference between the phishing page and the website it is impersonating is the URL, and if the target is using a login associated with an organisation that has enabled branding on Azure AD login pages, then these same branding elements will be seen on the phishing site, further selling the scam.  

This AiTM attack uses a malicious proxy server to host this impersonation of an official Azure AD login page, which captures the credentials of the user as they attempt to log in, and then redirects them to the legitimate website. The attack utilises multiple transport layer security (TLS) sessions to relay information between the phishing page and the legitimate site. The phishing site impersonates all stages of the login process, including MFA requests, so when the user enters this authentication and their login attempt is successful, the proxy site can capture a session cookie as proof of authentication. These session cookies exist as a way for legitimate sites to track user sessions after initial authentication is complete so that they are not asked to re-authenticate on each new page visited. The attacker can then use the stolen cookie to skip the entire authentication process, including MFA requirements, to gain access to the victim’s mailbox. 

After this initial access is established, the attacker can begin a payment fraud scheme, in which they target the contacts of the user they have compromised. Business email compromise (BEC) is a term used to describe these sorts of attacks, where a legitimate contact is impersonated in order to request the transfer of funds in a less easily identifiable manner. Social engineering techniques are usually implemented to further manipulate target individuals into thinking the requests they are receiving are legitimate and result in a successful pay-out for the attackers. Active email threads with financial content are targeted, with the aim of getting funds to be transferred into the attacker’s accounts, such as through the use of fake invoices.  

To cover up the evidence of this attack taking place, the malicious actor establishes mailbox rules, that archive the replies to their threads to help avoid detection by the user. They also delete their sent messages, and the initial phishing message, including removing them from the ‘Deleted messages’ folder. The attacker can inject the same session cookie into their browser to visit as many times as they want and skip the authentication process each time, so they can check every few hours to see if their payment fraud target has replied to their email. In most cases, the fraudulent emails are believed to be sent manually by individual attackers, and usually to more than one target at a time. The attacker simply edits the inbox rules each time they target a new organisation so that all replies from this domain are also archived, to continue to avoid detection.  

This AiTM attack is particularly dangerous even to companies with high security practices because it successfully circumvents the implementation of MFA in these situations. What was previously thought to be an essential layer of defence in authentication security can now be bypassed by malicious individuals. Establishing multiple layers of security such as through the defence in depth model of information security planning can help to protect your business even when one area (such as MFA in this case) becomes compromised. Regular staff training including effective education about how to spot phishing attacks can help to reduce the likelihood of these attacks being successful within your organisation. Identification of the initial phishing message with the HTML attachment being malicious, or noticing the incorrect URL on the redirected login page 

However, this AiTM phishing attack is a very specific form of attack, and using MFA continues to be effective at preventing many other potential threats, such as brute force attacks. It is also possible to increase the security of MFA and making it more ‘phish-resistant’. A recommendation from Microsoft on how to do this is to establish conditional access policies in addition to MFA requirements. This allows an additional layer of security by including device identifiers in the authentication process. This could help to prevent AiTM phishing attacks from being successful as the captured cookie would not be able to be used to prove authentication due to the attacker’s device address or IP location being different to those authorised by the conditional access requirements.