A malicious link shared in a phishing message for an AiTM campaign. Courtesy/Microsoft
Microsoft is warning organizations of an uptick in Adversary-in-the-Middle (AiTM) phishing kits that are capable of bypassing multi-factor authentication (MFA) through reverse-proxy functionality, rendering the security tool that many organizations now deploy useless.
In a new blog, the Microsoft Threat Intelligence Team dives into a threat actor it calls DEV-1101, a group that develops, supports and advertises several AiTM phishing kits that other threat actors can leverage in their attacks.
This specific AiTM phishing kit is an open-source kit that automates setting up and launching phishing activity, and the DEV-1101 group provides support services to attackers. Other cybercriminal groups have had access to the phishing kit since last year, and DEV-1101 has since made several improvements, including the ability to manage campaigns from a mobile device and evasion features like CAPTCHA pages.
Microsoft has since observed several high-volume phishing campaign from various actors using the AiTM kit from DEB-1101, and millions of phishing emails using the kit have been sent each day since the group began advertising the kit in spring 2022.
According to Microsoft, one of the more common phishing attacks leveraging the kit appears typical of phishing activity, with the email masquerading as a Microsoft document. The example given is from DEV-0928, one of the more prominent threat actors leveraging the phishing kit.
Microsoft security researchers say two different evasions might result from clicking the link in the phishing message. The DEV-1101 kit’s antibot functionality might trigger an href redirection to a benign page.
“The default redirection domain defined in the source code is example.com; however, any actor using the kit may define a different redirection domain,” researchers say.
The AiTM kit also allows threat actors to use CAPTCHA to evade detection. Inserting a CAPTCHA page into the phishing sequence could make it more difficult for automated systems to reach the final phishing page, while a human could easily click through to the next page, Microsoft researchers say.
After the evasion pages, the phishing landing page is presented to the target from an actor-controlled host through the phishing actor’s reverse proxy setup.
From there, the threat actor’s server will capture credentials entered by the user. If MFA is enabled, the AiTM kit continues to function as a proxy between the user and the user’s sign-in service, which allows the server to capture the resulting cookie session as the user completes an MFA sign-in. This allows an attacker to bypass MFA with the session cookie and the user’s stolen credentials.
While MFA can stop a wide variety of credential-based attacks, attackers are always finding new ways around security controls, including new MFA bypass techniques. According to Microsoft, MFA is the reason threat actors are pivoting to AiTM session cookie theft.
Microsoft advises organizations to set security defaults to improve identity security posture and evaluate sign-in requests using additional identity-drive signals such as group membership, IP location information and device status.
Other policies such as compliant devices or trusted IP address requirements can help protect users from attacks that leverage stolen credentials, researchers say. Organizations are also advised to invest in anti-phishing solutions that scan incoming emails and visited websites.
Microsoft also listed several capabilities of Microsoft 365 Defender that are designed to help protect from AiTM attacks. Read the blog for more information.