An AiTM-based phishing campaign targeting enterprise users of Microsoft products such as email services. Even Google Workspace users have also been targeted by threat actors behind a large-scale campaign.
AiTM phishing attacks refer to attacks in which threat actors place a proxy server between a target user’s destination website and a phishing website.
The proxy server is placed between the destination website and the domain controlled by the attackers. Attackers can access the traffic through the proxy server, which allows them to capture the password and cookies associated with the target and access their data.
Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu stated:-
“The specific focus of this campaign was to target the executives and other senior members of multi-national corporations that use Google Workspace as their primary communication tool.”
The AiTM phishing attacks are said to have commenced in mid-July 2022, following a similar modus operandi as that of a social engineering campaign designed to siphon users’ Microsoft credentials and even bypass multi-factor authentication.
Attack Chain
An email containing a malicious link is sent to the user, which initiates the attack. As a result of multiple redirection steps taken by this link with the help of Open Redirect, the user will be led to a final Gmail phishing domain controlled by the attacker, which is utilizing open redirection pages.
There is, however, an additional step that the server takes before presenting the real phishing page to the client in order to ensure that the client is indeed a real user browsing the web page and not a system that is performing an analysis automatically.
The attack chain is made up of several components that are all linked together. As far as the attack vector is concerned, this campaign used e-mails with embedded links that were used to spread the malicious code.
It was specifically intended to send these emails to the organization’s chief executives and senior members, as well as other targeted individuals.
It appeared to be an email from Google that offered a password expiration reminder and urged the recipient to click a link so that the account could be extended.
As far as the multi-factor authentication process that Gmail or Google Suite uses is concerned, the AiTM phishing kit can successfully relay and intercept the process.
Apart from the abuse of open redirects, there is an additional variant of the attack, which is based on infected websites.
During the next stage of the redirection process, the host sends the victim’s email address and a Base64-encoded version of the next-stage redirection URL. Upon clicking this intermediate redirector, you will be taken to a phishing page on Gmail that has been created using JavaScript code.
Even with multifactor authentication, it is evident that it will not be able to prevent sophisticated phishing attacks when used alone. Users need to thoroughly review the URLs before entering their personal data or credentials, as well as refrain from opening any unknown attachments.
Download Free SWG – Secure Web Filtering – E-book
