Cyber attackers appear to have found increasingly efficient ways to commit their crimes in the cloud, wreaking havoc before being discovered.
Microsoft recently warned about the existence of a phishing campaigndeployed on a large scale, using a strategy known as opponents in the middle or AiTMwhich is estimated to have harmed more than 10 thousand organizations in a period starting from September last year.
In that sense, AiTM has a mechanic that allows it to hijack a user’s session so that they can then use their session credentials and cookies to break into your email and commit fraud.
Under the AiTM strategy, phishing websites are able to bypass authentication legitimate websites, even if the user has activated the multi-factor authentication (MFA).
The latter is worrying considering that until now MFA was an effective security measure used by organizations to guard against phishing attacks, as well as credential theft.
In this sense, the administration of President Biden in the United States ordered federal agencies in this country to adopt the MFA, while others such as the Python Software Foundation they are using MFA to keep their critical projects safe.
Once deployed, AiTM phishing attacks use a proxy server to interpose it between the target and the legitimate website which it tries to access, so that the attacker takes the place of the website in question.
During this action the MFA is not disturbed, so that the attacker can make use of the stolen cookie to authenticate and connect to the site.
In the attacks described by Microsoft, the phishing website proxied the login page of Azure Active Directory (Azure AD) Of the objective. This meant that after entering the credentials and authenticating, the user was redirected to the legitimate page, a moment that was used by the attacker to get the credentials and authenticate posing as the user.
In this way, when the user enters the phishing website, the HTTP packets it generates are captured by the attacker’s web server, which are then sent to a target server handled also by this attacker.
Although these types of attacks can be difficult for organizations to detect, Microsoft advises carrying out the conditional access setup in Azure AD, which might help a bit to narrow down your action.
Also, Microsoft recommended keeping email monitored, as well as looking for phishing threats on incoming websites.
