Threat Research

Global analysis of Adversary-in-the-Middle phishing threats

SekoiaIO
Global analysis of Adversary-in-the-Middle phishing threats

Adversary-in-the-Middle (AitM) phishing attacks increasingly target Microsoft 365 and Google accounts, leveraging sophisticated phishing kits offered as Phishing-as-a-Service (PhaaS). These kits harvest session cookies to bypass multi-factor authentication, facilitating financial fraud and Business Email Compromise (BEC) attacks. #Tycoon2FA #Storm1167 #EvilProxy #SekoiaTDR

Keypoints

  • Since 2023, Sekoia’s Threat Detection & Research (TDR) team has actively monitored AitM phishing threats, developing detection rules and tracking adversary infrastructure.
  • The most widespread AitM phishing kits identified from January to April 2025 include Tycoon 2FA, Storm-1167, NakedPages, Sneaky 2FA, EvilProxy, and Evilginx.
  • Threat actors have evolved tactics by transitioning from QR code-based phishing lures to HTML and SVG attachments for link distribution.
  • Phishing-as-a-Service (PhaaS) platforms provide affordable, turnkey AitM phishing kits with features like anti-bot measures and centralised management, enabling low-skill cybercriminals.
  • AitM phishing campaigns primarily target corporate roles involved in financial operations using social engineering tactics like impersonation and urgency to trick victims.
  • Phishing kits commonly use reverse proxies or synchronous relay servers to intercept credentials and session cookies, enabling unauthorized access without triggering MFA.
  • The report offers technical details, detection opportunities, and tracking information on 11 prominent AitM phishing kits, aiding cybersecurity analysts and defenders.

MITRE Techniques

  • [T1556] Modify Authentication Process – Attackers harvest session cookies to bypass multi-factor authentication by intercepting and replaying session tokens (‘…AitM phishing servers relay user inputs… while intercepting the returned session cookie…’).
  • [T1192] Spearphishing Link – Campaigns distribute malicious links via QR codes, HTML, and SVG attachments as part of targeted phishing operations (‘…embedding QR codes within documents to redirect users to AitM phishing pages…’).
  • [T1204] User Execution – Social engineering tactics prompt victims to execute malicious attachments or click on phishing links through impersonation and urgency (‘…emails spoof trusted entities and invoke urgency or confidentiality to trick victims…’).
  • [T1071] Application Layer Protocol – Use of HTTPS and legitimate domains to relay phishing traffic via reverse proxies and open redirect vulnerabilities (‘…reverse proxy server acts as intermediary relaying traffic and capturing user data… exploiting open redirect vulnerabilities…’).
  • [T1110] Brute Force – Post-compromise, attackers add their own 2FA methods to maintain long-term access (‘…attackers add their own 2FA method after compromising the account to maintain access…’).

Indicators of Compromise

  • [Domain Names] Hosting phishing pages and infrastructure – Numerous domains registered daily by Tycoon 2FA and Storm-1167 affiliated servers, often protected by Cloudflare.
  • [File Hashes] Malicious attachments – PDF, SVG, and HTML files embedding QR codes or JavaScript to redirect users to phishing sites, examples include malicious SVG attachments observed since late 2024.
  • [URLs] Redirect links – URLs exploiting open redirect vulnerabilities within legitimate domains to funnel victims to phishing pages.
  • [IP Addresses] Servers – IPs associated with phishing infrastructure communicating with legitimate authentication APIs such as Microsoft’s API.

Read more: https://blog.sekoia.io/global-analysis-of-adversary-in-the-middle-phishing-threats/