A new large-scale phishing effort has been reported that use adversary-in-the-middle (AitM) tactics to circumvent security safeguards and attack business email accounts.
Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report, "It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services."
Fintech, lending, insurance, energy, manufacturing, and federal credit union verticals are major objectives in the United States, United Kingdom, New Zealand, and Australia.
This is not the first time a phishing attack has been identified. Microsoft revealed this month that over 10,000 businesses had been targeted by AitM tactics to compromise accounts protected by multi-factor authentication since September 2021 (MFA).
The ongoing campaign, which began in June 2022, starts with an invoice-themed email addressed to targets that include an HTML file with a phishing URL placed within it.
Opening the attachment in a web browser takes the email recipient to a phishing website posing as a Microsoft Office login page, but not before fingerprinting the infected system to assess whether the victim is the targeted target.
AitM phishing attacks go beyond standard phishing tactics aimed to steal credentials from unsuspecting users, primarily when MFA is implemented - a security barrier that prohibits the attacker from login into the account using just the stolen credentials.
To get around this, the rogue landing page created using a phishing kit acts as a proxy, capturing and relaying all traffic between the client (i.e., victim) and the email server.
"The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works," the researchers stated.
This also includes replacing any links to Microsoft domains with identical connections to the phishing domain to guarantee that the back-and-forth with the phoney website continues throughout the session.
According to Zscaler, the attacker manually logged into the account eight minutes after the credential theft, reading emails and verifying the user's personal information.
Furthermore, compromised email inboxes are often used to send further phishing emails as part of the same campaign to conduct business email compromise (BEC) frauds. The researchers noted, "Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions."