AiTM phishing attacks refer to attacks in which threat actors place a proxy server between a target user’s destination website and a phishing website.
The proxy server is placed between the destination website and the domain controlled by the attackers. Attackers can access the traffic through the proxy server, which allows them to capture the password and cookies associated with the target and access their data.
Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu stated:-
The attack chain is made up of several components that are all linked together. As far as the attack vector is concerned, this campaign used e-mails with embedded links that were used to spread the malicious code.
It was specifically intended to send these emails to the organization’s chief executives and senior members, as well as other targeted individuals.
It appeared to be an email from Google that offered a password expiration reminder and urged the recipient to click a link so that the account could be extended.
As far as the multi-factor authentication process that Gmail or Google Suite uses is concerned, the AiTM phishing kit can successfully relay and intercept the process.
Apart from the abuse of open redirects, there is an additional variant of the attack, which is based on infected websites.
Even with multifactor authentication, it is evident that it will not be able to prevent sophisticated phishing attacks when used alone. Users need to thoroughly review the URLs before entering their personal data or credentials, as well as refrain from opening any unknown attachments.