Microsoft Threat Intelligence tracks DEV-1101 (now Storm-1101) for developing and promoting an open-source AiTM phishing kit that enables high-volume campaigns and MFA bypass via reverse-proxy session hijacking. The post details the tool, its campaign workflows, pricing, and defensive guidance to detect and mitigate AiTM phishing threats targeting cloud apps like Microsoft 365 and Okta.
Keypoints
- DEV-1101 offers an open-source AiTM phishing kit that automates setting up and launching phishing activity, lowering entry barriers for attackers.
- The kit supports campaign management from mobile devices via Telegram bots and includes anti-bot/CAPTCHA evasion features to defeat automated defenses.
- Pricing for the tool escalated with growth: regular licenses at $300 and VIP licenses at $1,000, with legacy licenses at $200 before 2023.
- Microsoft observed high-volume AiTM campaigns from DEV-1101’s patrons, including DEV-0928, with campaigns comprising millions of emails.
- The phishing sequence uses malicious links and redirects, including benign redirects (default domain example.com) that can be customized by actors.
- AiTM can capture user credentials and, if MFA is enabled, bypass MFA by exploiting the stolen session cookie.
- Detection and defense guidance emphasize MFA, conditional access, anti-phishing solutions, and cross-domain Defender alerts to detect AiTM activity.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – An initial phishing message with a malicious link leads to the next step in the sequence. ‘An initial phishing message from a campaign launched by DEV-0928 using the DEV-1101 phishing kit. Clicking the Open button in the email leads to the next step in the sequence.’
- [T1021] Remote Services – The kit can manage campaigns from mobile devices via Telegram bots, enabling attackers to control phishing activity remotely. ‘The kit would be open source with a $100 monthly licensing fee… management of phishing activity through Telegram bots.’
- [T1539] Steal Web Session Cookie – As victims authenticate, the AiTM setup captures the session cookie and can be used to bypass MFA. ‘as the user completes an MFA sign-in, the server captures the resulting session cookie. The attacker can then bypass MFA with the session cookie and the user’s stolen credentials.’
- [T1071.001] Web Protocols – The AiTM reverse-proxy operates as a mediator between users and their sign-in services, facilitating credential capture via web protocols. ‘The attacker’s server captures credentials entered by the user. If the user has MFA enabled, the AiTM kit continues to function as a proxy between the user and the user’s sign-in service…’
- [T1036] Masquerading – Redirect behavior uses a default or attacker-defined redirection domain to masquerade as legitimate flow. ‘The default redirection domain defined in the source code is example.com; however, any actor using the kit may define a different redirection domain.’
Indicators of Compromise
- [Domain] o365987656898087.xyz – redirect domain used in malicious phishing links described in the sequence
- [Domain] example.com – default redirection domain defined in source code, customizable by actors