Are attackers using AiTM to bypass your MFA and obtain account access?

What happens to a user when their multi-factor authentication (MFA) safeguards can be bypassed by attackers? That’s the question that many security experts have been working on as a result of the recent rise in Adversary-in-the-Middle (AiTM) techniques against enterprise accounts.

At CyberProof, our in-house Cyber Threat Intelligence (CTI) team has been tracking AiTM attacks since August, gathering information on how AiTM attacks work, who they have targeted, and critically — how users can shore up their defenses to mitigate the threat. 

What is AiTM? 

Adversary-in-the-middle attacks occur when an attacker positions themselves between two or more devices, allowing the attackers to access the traffic through a proxy server. When session cookies are generated on the client-side device, the attacker can then access this data, as well as login credentials, which can be used to authenticate a session as if they are the legitimate user.  

While AiTM attacks start with what appears to be a standard phishing attack, usually via email, they are different from traditional phishing scams for a few key reasons.  

First, AiTM attacks do not involve a fake website. In traditional phishing attacks, generally speaking, a fake website is built that is used to steal credentials, by tricking a user into entering their passwords or sensitive data. However, an AiTM attack uses a proxy server to communicate directly with the enterprise – passing the login information to the legitimate company, and relaying the response back to the user. By deploying a web server that proxies HTTP packets from the user to the target server and vice versa, the attackers don’t need to create their own phishing website. They can rely on a fake website that is virtually identical to its original, aside from the URL.  

Secondly, the goal of an AiTM attack is not merely to steal credentials, but to compromise the MFA, allowing the attacker to continue to use the user’s account without needing additional authentication long-term. To evade detection, attackers will often set up Inbox rules and policies – for example, deleting the messages they send and auto-archiving any replies.  

Which enterprises are being targeted? 

In July 2022, Microsoft disclosed that a large-scale campaign had targeted more than 10,000 organizations since September 2021, using AiTM techniques to access Office 365 accounts, even those secured with MFA. "The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets." 

Less than a month later, Zscaler researchers announced another prominent campaign using AiTM techniques, targeting enterprise users of Microsoft's email services across multiple verticals including FinTech, Insurance, Energy and Manufacturing, and spread out globally across the US, UK, Australia and New Zealand. The campaign uses cloaking, redirection, and browser fingerprinting techniques to ensure it isn’t flagged by URL analysis systems, as this is the only difference between the proxy and the original website. In addition, to extend the amount of time that attackers can remain authenticated to the stolen accounts, the campaign uses legitimate code editing services such as Glitch, and CodeSandbox. 

Soon after this report was made public, a follow up was published to warn of a similar campaign that targeted users of G-suite, Google’s enterprise workspace. In this case, the malicious email warned users of a password expiry deadline. When the link was clicked, users were sent to open redirect pages of Google Ads and Snapchat, to load the URL of the phishing page. MFA was again bypassed through stealing session cookies. A variant of the attack used infected websites with a Base64-encoded version of the redirection URL, that brought victims to the JavaScript page.  

Both the Microsoft and the Google attacks took users to a Gmail AiTM phishing page, and there was also an overlap in the infrastructure used, suggesting that the same attackers were behind the campaigns.  

MFA alone is not enough. What should organizations do to protect against AiTM? 

Many users believe that by utilizing MFA, they are protected when using their online accounts. While it’s true that MFA is an essential part of securing your digital activities, the growth in AiTM techniques used for email compromise and phishing show that it is not enough in and of itself.  

Actionable tip: If you’re concerned about AiTM attacks, and you would like a list of specific Indicators of Compromise (IoC) that you can scan for within your environment, and implement in your security systems, make sure to get in touch. 

More broadly, in order to make the implementation of MFA what Microsoft call, “phish-resistant”, we recommend: 

  • Using solutions that support v2.0 of FIDO (Fast ID online): FIDO uses Personally Identifiable Information (PII) such as biometric authentication data rather than relying on password databases for authentication. It also supports the Universal Authentication Framework (UAF), where key pairing is used – unlocking access through a simple action by the user, such as a PIN, a fingerprint, or even a selfie. Authentication relies on a strong second factor like Near-field Communication (NFC) or a security token. 
  • Looking for certificate-based authentication: This cryptographic technique adds a layer of security to your digital activity and authentication processes, by demanding that a device send a certificate to prove its legitimacy, before a user can gain access. The traditional approach is that a server will use SSL or TLS to confirm its identity to the client – but with certificate-based authentication, the roles are reversed.  
  • Creating conditional access policies: Conditional access policies can act as an additional safeguard to ensure that if access is granted, attackers are limited with what they can achieve. These are simple “If/then” statements, so that if a user wants to request a payment, for example, or access sensitive data, they need to complete an action to prove their identity. You can set up conditional access policies by users, IP addresses, types of device, and more.  

Looking for targeted information about how to protect your own organization from AiTM attacks? Reach out here to speak to an expert.