Threat Research

Increase in Adversary-in-the-Middle Phishing Attacks 

Securonix

eSentire reports a rise in Adversary-in-the-Middle (AitM) phishing campaigns starting mid-September 2023, where attackers lure users via malicious links or QR codes to capture credentials and session tokens for MFA bypass and BEC. Early detection of anomalous sign-ins and threat infrastructure has limited follow-on activity, while recommended mitigations focus on logging, training, and conditional access. #Adversary-in-the-Middle #BEC #AzureAD #Office365 #QRCode #Namecheap #BLNetworks #CacheNetworks

Keypoints

  • Increase in Adversary-in-the-Middle (AitM) phishing attacks observed since mid-September 2023.
  • Attackers proxy or relay data through attacker-controlled infrastructure to steal credentials, MFA codes, and session cookies, enabling access to accounts.
  • Stolen credentials and tokens are used to conduct Business Email Compromise (BEC) attacks.
  • Early detection of anomalous sign-ins and attacker infrastructure helped limit follow-on activity.
  • Recommended mitigations include enabling Azure AD/Office365 logging, user training on AitM and QR code abuse, and conditional access controls to restrict devices, IPs, and reduce session lifetimes.
  • If impacted, reset credentials, revoke sessions, and review inbox rules and data exfiltration indicators.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – Attackers lure users via emails pressing immediate interaction with a link or QR code; ‘The initial email generally pressures the user to immediately interact with a link or QR code.’
  • [T1539] Steal Web Session Cookie – Tokens are captured and replayed to gain access with a limited footprint; ‘they capture and replay stolen session tokens, leaving a limited footprint in the environment.’
  • [T1078] Valid Accounts – Once access is gained, actors add devices for MFA to maintain persistent access; ‘Threat actors have also been identified using established access to add a new device for MFA authentication, allowing them persistent access to the victim account.’

Indicators of Compromise

  • [IP Address] Indicators of Compromise observed in the recent AitM campaign – 63[.]250[.]38[.]127, 162[.]255[.]118[.]206, and 4 more IPs

Read more: https://www.esentire.com/security-advisories/increase-in-adversary-in-the-middle-phishing-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint