A
report from the Microsoft Defender Experts reveals a new multi-staged adversary in the middle phishing attack combined with a business email compromise attack targeting banking and financial institutions. The complex attack abuses trusted relationships between vendors, suppliers and more organizations involved in financial transactions.
Stage one: launching and AiTM phishing attack. AiTM attacks are operations in which a bad actor intercepts and modifies communications between two parties, typically a user and a legitimate authentication service, to steal sensitive or financial information, such as log-in credentials and credit card data. It might also be used to bypass multifactor authentication by stealing users’ session cookies.
While previous AiTM attacks generally used reverse proxy techniques to handle the traffic between the user and the authentication service, this time the attackers used an indirect proxy method. This technique is slightly different as the attacker controls everything directly from a phishing website that mimics the sign-in page of the targeted service. The website processes all communication, including authentication requests, with the target.
The user is enticed to visit the phishing page, enter their credentials and fill in the additional MFA authentication, which is a fake MFA request coming directly from the attackers. In the background and straight from the phishing server, the attacker initiates communication with the targeted service and enters the valid users’ credentials and then the MFA information. The user is being redirected to another page at that moment, while the attacker receives a valid session cookie impersonating the user.