AiTM Phishing Attack Targeting Enterprise Users of Microsoft & Gmail Email Services

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing
An AiTM-based phishing campaign targeting enterprise users of Microsoft products such as email services. Even Google Workspace users have also been targeted by threat actors behind a large-scale campaign.

AiTM phishing attacks refer to attacks in which threat actors place a proxy server between a target user’s destination website and a phishing website.

The proxy server is placed between the destination website and the domain controlled by the attackers. Attackers can access the traffic through the proxy server, which allows them to capture the password and cookies associated with the target and access their data.

Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu stated:-

The attack chain is made up of several components that are all linked together. As far as the attack vector is concerned, this campaign used e-mails with embedded links that were used to spread the malicious code.

It was specifically intended to send these emails to the organization’s chief executives and senior members, as well as other targeted individuals.

It appeared to be an email from Google that offered a password expiration reminder and urged the recipient to click a link so that the account could be extended.

As far as the multi-factor authentication process that Gmail or Google Suite uses is concerned, the AiTM phishing kit can successfully relay and intercept the process.

Apart from the abuse of open redirects, there is an additional variant of the attack, which is based on infected websites.

During the next stage of the redirection process, the host sends the victim’s email address and a Base64-encoded version of the next-stage redirection URL. Upon clicking this intermediate redirector, you will be taken to a phishing page on Gmail that has been created using JavaScript code.

Even with multifactor authentication, it is evident that it will not be able to prevent sophisticated phishing attacks when used alone. Users need to thoroughly review the URLs before entering their personal data or credentials, as well as refrain from opening any unknown attachments.