Cofense Intelligence analyzes credential phishing that uses man-in-the-middle (MiTM) attacks to proxy authentication between users and destinations, enabling harvesting of usernames, passwords, and session cookies and potentially bypassing MFA. The report notes rising MiTM activity, heavy targeting of Office 365 login flows, frequent URL redirects, and the availability of open-source MiTM tools. #evilginx2 #CipherGinx #Muraena #Office365 #login.microsoftonline.com #CofenseIntelligence
Keypoints
- MiTM credential phishing is increasing, with a 35% rise in volume in inboxes from Q1 2022 to Q1 2023.
- 94% of MiTM credential-phishing attacks reaching inboxes targeted O365 authentication.
- 89% of campaigns used at least one URL redirect, and 55% used two or more redirects.
- Most MiTM landing pages aim to intercept Office 365 credentials, with Outlook and Amazon as top targets.
- Campaigns typically embed malicious URLs in the email body rather than attachments, often using multiple redirects to reach the MiTM URL.
- Open-source tools like evilginx2, CipherGinx, and Muraena could provide MiTM capabilities to threat actors.
- The report highlights detection markers to help defenders identify MiTM pages and protect organizations.
MITRE Techniques
- [T1566.002] Phishing – Spearphishing Link – The majority of campaigns observed have a malicious URL embedded in the body of the email… and most pass through one or more URL redirects before reaching the final URL that actually conducts the man-in-the-middle attack. ‘The majority of campaigns observed have a malicious URL embedded in the body of the email rather than in an attachment. Very few of the embedded URLs address themselves to the man-in-the-middle server itself. Instead, most pass through one or more URL redirects before reaching the final MiTM URL.’
- [T1036] Masquerading – The attacker uses a valid certificate to authenticate its own identity and allow encrypted traffic between itself and the user. ‘To help disguise itself within the authentication process, the man-in-the-middle server will use a valid certificate to authenticate its own identity and allow encrypted traffic between itself and the user.’
- [T1078] Valid Accounts – The attacker can use harvested credentials to access accounts. ‘use the harvested usernames, passwords, and session cookies to gain access to a victim’s account and even bypass multi-factor authentication.’
- [T1539] Steal Web Session Cookie – After obtaining the session cookie, the attacker can impersonate the user on the destination site. ‘Once the attacker has the session cookie, they can use it to interact with the website as if they were the user. This session cookie allows them to bypass usernames, passwords, and even the multi-factor authentication steps.’
Indicators of Compromise
- [Domain] login.microsoftonline.com – observed as the legitimate landing page being proxied in MiTM campaigns.
- [File Name] evilginx2, CipherGinx, Muraena – open-source MiTM tooling that could enable credential harvesting capabilities.
Read more: https://cofense.com/blog/cofense-intelligence-strategic-analysis-2/