Chris Swagler | August 31st, 2023

AiTM Phishing

Financial institutions are prime targets for malicious actors seeking to exploit vulnerabilities. Microsoft has recently exposed a significant threat operation, uncovering a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack, casting a spotlight on the intricate nature of cyber threats affecting the financial industry. The complex web of financial transactions has made banks and financial organizations attractive targets for cybercriminals. Microsoft’s recent revelation of a sophisticated cyberattack involving AiTM phishing and BEC attacks exposes the vulnerabilities within the financial sector.

Discovery of the New AiTM Attack

According to a recent report from Microsoft, this AiTM attack originated from a compromised trusted vendor. Still, it quickly escalated into AiTM assaults, followed by BEC activity spanning multiple financial organizations. Microsoft has named this operation “Storm-1167” and has highlighted the attackers’ use of an indirect proxy, demonstrating their adaptability and sophistication. The complexity of this AiTM attack stands out, particularly in its use of an indirect proxy. This method allows the attackers to customize phishing pages to suit their targets, facilitating session cookie theft and underscoring the evolving nature of AiTM attacks.

The Modus Operandi of the AiTM Attack

Unlike conventional AiTM campaigns, where decoy pages act as reverse proxies to extract credentials and time-based one-time passwords (TOTPs) entered by victims, this attack takes a different approach. Microsoft noted similarities with traditional phishing attacks, where victims are presented with a website resembling the sign-in page of the targeted application hosted on a cloud service. The attack begins with a phishing email containing a link that redirects victims to a spoofed Microsoft sign-in page, capturing the entered credentials and TOTPs. These stolen credentials and session cookies are then exploited to impersonate the user, gaining unauthorized access to the victim’s email inbox through a replay attack. This access is leveraged to extract sensitive emails and orchestrate a BEC attack. In this instance, the attackers took the sophistication a step further by adding a new SMS-based two-factor authentication (2FA) method to the target account. This allowed them to sign in using the stolen credentials without arousing suspicion.

The Scope and Tactics of the Attack

The attackers initiated a mass spam campaign, sending over 16,000 emails to compromised users’ contacts within and outside the organization and distribution lists. The attackers demonstrated efforts to minimize detection, responding to incoming emails and deleting them from the mailbox. Interestingly, a second AiTM attack targets the recipients of the phishing emails, stealing their credentials and initiating yet another phishing campaign, leveraging the compromised user’s email inbox.

The Complexity and Implications

Microsoft’s analysis of this attack highlights the intricate nature of AiTM and BEC threats, particularly the exploitation of trusted relationships between vendors, suppliers, and partner organizations for financial fraud. This discovery comes shortly after Microsoft warned of a surge in BEC attacks, indicating the evolving tactics used by cybercriminals, such as using platforms like BulletProftLink for industrial-scale malicious email campaigns. Moreover, the attackers’ use of residential IP addresses to make attacks appear locally generated adds a layer of sophistication to their strategy.

The emergence of this new AiTM/BEC attack underscores the need for heightened vigilance within the financial sector. These attackers demonstrate innovative tactics, utilizing localized addresses and evading detection, making it crucial for financial organizations to implement robust cybersecurity measures to safeguard their valuable assets and customer data. Proactive threat hunting and a comprehensive defense strategy are essential in this era of constantly evolving cyber threats. At SpearTip, our certified engineers offer phishing training as mitigation to enhance skills related to defending against these threats. The training tests the discernment of companies’ teams, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environment. Our team creates phishing email simulations like those threat actors use and sends them throughout the organization. We provide insight and feedback to improve the cyber defenses of their team, leading to a profound decrease in the likelihood of being victimized by phishing scams. After the training, our team provides precise and thorough strategies to harden your environment and implement ongoing awareness training.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.