Large-scale AitM Attacks Targeting Enterprise Users to Steal Login Credentials

The threat of phishing attacks has significantly increased over the past couple of months. There has been a phishing campaign exploiting AitM techniques to conduct a new and large-scale attack.

Obtaining access to enterprise email accounts by compromising the security protections with the help of these campaigns. Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu affirmed that.

In this attack, the threat actors use the AitM technique to bypass multifactor authentication. In this campaign, Microsoft’s email services are specifically targeted at the end users of enterprise organizations.

Primary Targets

A number of prominent targets have been identified, including:-

A background-themed electronic communication will be sent to the targets as part of the ongoing campaign, starting in June 2022. An HTML attachment to this email contains a phishing URL embedded in it, which when clicked on will take you to a phishing page or website.

The phishing page appears to be a Microsoft Office login screen with a Microsoft Office logo on it. The compromised machine must be fingerprinted first before it is possible to determine whether it should be considered the intended target or not.

There are a variety of methods used in this campaign that make it stand out, including:-

• Open redirect pages hosted by Google Ads
• Open redirect pages hosted by Snapchat

Their goal is to load the phishing URL in order to trick the user into clicking on it.

In comparison to traditional phishing attacks, AitM phishing attacks are designed to use a variety of methods in order to obtain the password of unsuspecting users.

Using a phishing kit developed as part of a rogue landing page, a proxy is used to circumvent this. Here, the client and the email server negotiate various terms and conditions in order to be able to communicate with each other.

Additionally, all links to Microsoft domains need to be replaced with equivalent links to phishing domains. During the usage of the fraudulent website, this will ensure that correspondence with the fraudulent website remains intact throughout the usage of the website.

Recommendations

Here below we have mentioned all the common precautionary measures recommended by the security experts at Zscaler:-

• If you receive an email that appears to be sent by an untrusted or unknown source, you should not open the attachments contained within it.
• If you receive an email that appears to have been sent from a source you do not recognize, do not click on any links therein.
• Be very careful when entering any credentials in the browser address bar because the URL should always be confirmed.
• Keep your credentials updated as often as possible by changing them on a regular basis.
• Using a robust security system is one of the most important things you can do.

You can follow us on Linkedin, Twitter