Microsoft Warns! Rise in AiTM Phishing Tactics for Phishing-as-a-Service Motive

Microsoft has warned about a rise in adversary-in-the-middle (AiTM) phishing methods, which are spreading as part of the phishing-as-a-service (PhaaS) cybercrime model.

Adversary-in-the-middle (AiTM) phishing techniques continue to proliferate through the phishing-as-a-service (PhaaS) cybercrime model, as seen in the increasing number of-AiTM capable PhaaS platforms throughout 2023.

— Microsoft Threat Intelligence (@MsftSecIntel) August 28, 2023

In addition to an increase in PhaaS platforms with AiTM capabilities, Microsoft mentioned that existing phishing services like PerSwaysion are integrating AiTM features.

This advancement in the PhaaS ecosystem allows attackers to carry out large-scale phishing campaigns that aim to bypass multi-factor authentication (MFA) protections effectively. 

Phishing kits used with perfection

Phishing kits equipped with AiTM capabilities operate in two main ways:

• The first involves using reverse proxy servers to redirect traffic between the user and a legitimate website while secretly capturing user credentials, two-factor codes, and session cookies.

• The second method utilizes synchronous relay servers. With AiTM through synchronous relay servers, the target encounters a replica of a sign-in page, resembling traditional phishing attacks. 

A group known as Storm-1295, linked to the Greatness PhaaS platform, provides synchronous relay services to other attackers.

How does the Phishing Kit work?

The phishing kit, provided to partners and set up on a server under their control, is the only part of the system that the victim interacts with. This kit provides the necessary HTML/JavaScript code for each attack phase. It works in the background and connects to the PaaS API service, sharing the victim’s captured credentials and getting instructions on which page to display to the victim during each attack stage.

The Graph of Flow:

As the victim enters their credentials into the kit, it stores this information locally. It may also send these credentials to the affiliate’s Telegram channel if configured to do so.

The phishing kit has an admin panel allowing the partner to set up the service API key and Telegram bot. It also helps them keep tabs on the stolen credentials they’ve acquired.

Did we link it with history?

Greatness PhaaS, uncovered by Cisco Talos in May 2023, is a “service that empowers cybercriminals to target Microsoft 365 cloud users using convincing imitation login pages. It has reportedly been active since around mid-2022.”

These attacks ultimately aim to obtain session cookies, granting threat actors access to privileged systems without needing to re-authenticate.

“Getting around MFA is the main objective behind the development of AiTM session cookie theft techniques,” highlighted Microsoft. “Unlike typical phishing attacks, responding to AiTM incidents requires invalidating stolen session cookies.”

Not sure what to do! Just stick to the basics

Continuous collaboration between cybersecurity experts, law enforcement agencies, and technology providers remains pivotal to dealing with emerging techniques to disrupt cyber security. The prevention is simple: stay vigilant with your personal security check whether you are at home or work.