The method uses adversary-in-the-middle (AiTM) proxy sites to get around multifactor authentication (MFA) features and steal credentials that are then used to compromise business email accounts.
With AiTM phishing, cybercriminals place a proxy server between the targeted user and the website they're trying to visit, enabling the miscreants to intercept and steal the user's password and session cookie, which are implemented by web services after initial authentication so that the user doesn't have to keep authenticating as they move through the site during the session.
Microsoft said that through the stolen session cookie, the attacker gets access to the session via the user.
Once the attacker has the stolen credentials and session cookies, they can access the victim's email boxes and run a business email compromise (BEC) campaign, in this case payment fraud.
Writing in its bog, the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center said that while AiTM phishing was not new, its investigation allowed observation of the follow-on activities stemming from the campaign – including cloud-based attack attempts – through cross-domain threat data from Microsoft 365 Defender.
Microsoft researchers said they saw multiple iterations of the AiTM campaign, all targeting Office 365 users by spoofing the Office online authentication page and used the Evilginx2 phishing kit as their infrastructure.
There were similarities in their activities after the security breach, including enumerating sensitive data in the victim's email and running payment fraud schemes.
"Once the target entered their credentials and got authenticated, they were redirected to the legitimate office.com page. However, in the background, the attacker intercepted said credentials and got authenticated on the user's behalf. This allowed the attacker to perform follow-on activities – in this case, payment fraud – from within the organisation," Microsoft wrote.
"As the threat landscape evolves, organisations need to assume breach and understand their network and threat data to gain complete visibility and insight into complex end-to-end attack chains," the Defender Research team adds.
