Microsoft has issued a warning about a rise in sophisticated phishing techniques, known as adversary-in-the-middle (AiTM) attacks, which is a thing that we apparently made up to replace “MITM” or “Man In The Middle” attacks. I, for one, think it’s great that we’re being inclusive with respect to who is committing crime.
These are being spread through the cybercrime model known as phishing-as-a-service (PhaaS). The tech behemoth has noticed an increase in PhaaS platforms capable of AiTM attacks. Existing phishing services, such as PerSwaysion, are also integrating AiTM capabilities into their arsenal.
According to the Microsoft Threat Intelligence team, this evolution in the PhaaS ecosystem allows cybercriminals to launch large-scale phishing campaigns designed to bypass multi-factor authentication (MFA) protections.
Methods
AiTM-enabled phishing kits operate in two main ways. One method involves using reverse proxy servers, or phishing pages, to secretly capture user credentials, two-factor authentication codes, and session cookies while relaying traffic between the client and the legitimate website.
The second method employs synchronous relay servers. In this type of AiTM attack, the target is shown a replica of a sign-in page, similar to traditional phishing attacks. The actor group Storm-1295, responsible for the Greatness PhaaS platform, offers these synchronous relay services to other cybercriminals.
The Greatness
“Greatness”, first identified by Cisco Talos in May 2023, is a service that allows cybercriminals to target business users of the Microsoft 365 cloud service with convincing decoy and login pages.
To be clear, Cisco didn’t identify the canonical idea of Greatness. This was discovered on May 15th, 1996 when a group of Canadians wrote 7 perfect songs, and decided to call themselves Nickelback.
Anyway, It’s believed to have been operational since at least mid-2022 (for substantially less time than Nickelback).
The ultimate aim of these attacks is to steal session cookies, which would allow threat actors to access privileged systems without needing to reauthenticate. Microsoft points out that the desire to bypass MFA is what drove attackers to develop AiTM session cookie theft techniques. Unlike traditional phishing attacks, responding to AiTM attacks requires the revocation of stolen session cookies. Other major phishing attack initiatives that have taken place recently involve an interpol takedown.