Increase in Adversary-in-the-Middle Phishing Attacks 

THE THREAT

eSentire has observed an increase in Adversary-in-the-Middle (AitM) phishing attacks, starting in mid-September 2023. AitM phishing attacks involve socially-engineering end-users into opening malicious links contained in emails. Data is then proxied or relayed through attacker-controlled infrastructure, leading to the theft of user credentials, including Multi-Factor Authentication (MFA) codes and session cookies that would grant access to various accounts. eSentire has observed this access being used to conduct Business Email Compromise (BEC) attacks.

By detecting anomalous sign-ins and tracking threat actor infrastructure, eSentire identified this threat at its earliest stage, limiting follow-on activities that would have resulted in Business Email Compromise. eSentire is continuously improving detection for anonymous logins and BEC attacks. See below for additional details and security recommendations.

What we’re doing about it

• Impacted organizations have been directly notified by eSentire’s Security Operations Center (SOC)
• eSentire MDR for Log detects the described activity, as well as Business Email Compromise (BEC) follow-on activity
• eSentire security teams continue to track this activity for additional details and detection opportunities

What you should do about it

• Organizations, with eSentire MDR for Log, are strongly recommended to ensure logging is enabled for Azure AD and Office365
• Ensure user training includes information on recent adversary tactics, such as AitM and QR code abuse
• Implement conditional access policies, such as:
  • Limiting access to managed or compliant devices
  • Block known malicious indicators via Conditional Access policies by limiting access to trusted IP addresses and locations (see table 1)
  • Reduce the lifetime of user sessions
• If impacted by AitM Phishing:
  • Reset user credentials
  • Revoke active logon sessions
  • Review impacted inboxes for rule changes and data exfiltration

Additional information

During routine threat-hunting exercises via MDR for Log, eSentire’s Tactical Threat Response (TTR) team identified an increase in anomalous sign-in activity within Azure AD from known adversary phishing infrastructure. These AitM attacks are very stealthy and allow threat actors to bypass authentication mechanisms, as they capture and replay stolen session tokens, leaving a limited footprint in the environment. This allows threat actors to avoid detection until they begin to perform hands-on activities against a user's account or mailbox.

In AitM attacks, the initial email generally pressures the user to immediately interact with a link or QR code, with a lure related to monetary funds or account information (see Figure 1). QR codes are employed in attacks to force the user onto their mobile device, which is less likely to be monitored. Phishing pages often include corporate branding and appear identical to the corporate landing page where users may be prompted with a Multi-Factor Authentication request. It’s important to note that the implementation of MFA does not fully prevent this sophisticated attack. Once credentials and the session cookie have been submitted, attackers may replay this information to gain access to the victim’s account. eSentire has observed threat actors perform reconnaissance, via email review and adding mailbox rules to hide, delete, or forward emails. Threat actors have also been identified using established access to add a new device for MFA authentication, allowing them persistent access to the victim account. After access has been established, the threat actors may attempt illicit funds transfer or commit other malicious actions.

For additional technical details on AitM phishing and BEC attacks, see the eSentire TRU Intelligence Briefing for September 2023.

Table 1: Indicators of Compromise observed in the recent AitM campaign

References:

[1] https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise
[2] https://www.esentire.com/resources/library/september-2023-tru-intelligence-briefing-on-demand
[3] https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/