A large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services has also targeted Google Workspace users.
"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.
The AiTM phishing attacks are said to have begun in mid-July 2022, using a similar method to a social engineering campaign designed to steal users' Microsoft credentials and even circumvent multi-factor authentication.
The low-volume Gmail AiTM phishing campaign also includes the use of compromised emails from CEOs to conduct additional social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take victims to the final landing page.
Attack chains entail sending password expiry emails to potential targets that encompass an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to Google Ads and Snapchat redirect pages that load the phishing page URL.
Aside from open redirect abuse, a second variant of the attacks uses infected sites to host a Base64-encoded version of the next-stage redirector in the URL, as well as the victim's email address. This intermediate redirector is a piece of JavaScript code that directs you to a Gmail phishing page.
In one case, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was revised to take the user to a Gmail AiTM phishing page, connecting the two campaigns.
"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.
Overall, the findings suggest that multi-factor authentication safeguards alone are insufficient to defend against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and avoid opening attachments or clicking on links in emails sent from untrusted or unknown sources.