A sophisticated new phishing campaign has managed to evade traditional security defences by exploiting the trusted relationships between different organisations. The Microsoft researchers who discovered and analysed the attack coined the term “multi-stage adversary-in-the-middle (AiTM) phishing” to describe the complex tactics and techniques used by the attackers. Their aim was to execute business email compromise (BEC) against four or more organisations, jumping from one breached organisation to the next by leveraging the relationships between them, with a particular focus on the banking and financial services sectors.
The campaign started with a compromise of a trusted vendor’s email account, and then utilised a custom phishing toolkit which relied on an indirect method of proxying. The phishing page set up and maintained by the attackers was able to mimic a login page that was fully under their control, rather than serving a proxy of the real log-in page. When victims interacted with this page, the attackers initiated a login session with the real service and requested the victim to provide an MFA code via a fake prompt. Once the victims provided the code, the attackers were able to access their account using the spoofed session cookie, while the victims were redirected to a fake page.
Once connected to their victim’s account, the attackers added a new MFA authentication method to the account and established persistent email access before launching the BEC attacks. Victims of the phishing campaign were directed to an AiTM phishing page. Any recipients who raised questions regarding the phishing emails were responded to and potentially falsely confirmed that the email was legitimate, before the emails and responses were deleted from their mailbox. This type of multi-stage phishing and BEC combination represents a considerable threat, with exponential growth potential, distributed far down the trust chain.
The FBI’s Internet Crime Complaint Center (IC3) issued a report on the growth of BEC scams in June 2023. The report showed that BEC attacks increased by 17% between December 2021 and December 2022, accounting for a dollar loss of over $50 billion worldwide. The Microsoft researchers named the indirect proxy AiTM attack method as an example of the increasingly complex and evolving TTPs of modern phishing and cyber-attacks. With traditional defences proving ineffective against the myriad of digital threats faced by companies, they suggest using MFA methods such as those using FIDO 2 keys and certificate-based authentication, as well as implementing continuous access evaluation via conditional access policies. By proactively hunting for threats and responding quickly, organisations can add another layer to their security defences and address areas of defence evasion.