Microsoft Warns About AiTM Attacks

For most of us, this is a new acronym. Microsoft is calling this an Adversary in the Middle Attack or AiTM.

Microsoft says there is a large scale phishing campaign that hijacked the user’s sign-in session and skipped the authentication process, even if users have enabled MFA.

Based on Microsoft’s data, the campaign has targeted more than 10,000 COMPANIES in the last 10 months.

In simple terms, the attack works like this (see graphic below). The attacker sends a traditional phishing email and if the user clicks on the link, it sends to user to a proxy website. The user logs in and, as is the case with other man in the middle attacks, the attacker forwards the credentials to the real site. If MFA is turned on, the user submits the MFA code, the attacker forwards that to the real site and the site generates a session cookie.

Once the attacker has the session cookie, he can masquerade as the user, access the user’s data and even their email account. From there, they can send out multiple business email compromise campaigns. Access works until the token times out.

Changing the user’s password doesn’t help because the attacker has a session cookie. Killing all sessions for the affected user after changing the password should kick the attacker out – until the user clicks on a malicious link again.

Microsoft 365 Defender catches some of this, but Microsoft recommends implementing conditional access. Unfortunately, depending on your Office 365 license type, conditional access carries an additional monthly fee, but it offers some really good protections. Many of the higher end Office 365 licenses include it, at least a lightweight version. Conditional access does require configuration and you have to respond to the alerts it generates.

If this is interesting to you, please contact us for more details and assistance.

Credit: Microsoft