AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Discovery of an AiTM attack campaign on Microsoft 365

A detailed exploration of AiTM attack techniques and mitigation strategies to protect Microsoft 365 from advanced compromises

In July 2024, the Field Effect security team discovered “Adversary-in-the-Middle” (AiTM) attacks against Microsoft 365, using Axios to steal user credentials, including MFA codes, via phishing. Monitoring, credential rotation and anti-phishing training are recommended.

This pill is also available in Italian language

In July 2024, the Field Effect security team identified a sophisticated attack campaign called “Adversary-in-the-Middle” (AiTM), targeting Microsoft 365 (M365). This insidious method leverages advanced Business Email Compromise (BEC) techniques, exploiting the ability to intercept and redirect user credentials during the authentication phase. Analyzing these activities revealed suspicious use of the user agent string "axios/1.7.2", associated with login attempts via Internet Service Providers (ISPs) known to host malicious activity. Used in the compromise chain is Axios, a legitimate HTTP client for browsers and node.js, which attackers manipulated to mimic legitimate login requests, transforming and deleting HTTP requests and responses to their advantage, thus enabling credential theft of users.

Interception and credential collection techniques

AiTM attacks mainly exploit phishing. Target users receive perfectly simulated phishing emails to trick them into visiting malicious domains. These domains host M365 login pages, built using Axios to closely replicate the look and feel of the original login pages. When the user enters credentials on these fake pages, Axios intercepts them and immediately uses them to authenticate to the real M365 page in real time. A particularly concerning aspect of this campaign is the compromise of multi-factor authentication (MFA) measures, managing not only to obtain passwords, but also MFA codes, allowing attackers to make unauthorized access to victims' accounts.

Speculative techniques and indicators of compromise

To evade detection systems, attackers used Axios to craft HTTP requests that exactly mimicked those of legitimate users. This ploy allowed them to intercept credentials without arousing suspicion, thanks to the real-time capture of the information entered. Additionally, ISPs known for malicious activity, such as Hostinger International Limited and Global Internet Solutions LLC, were used to disguise the source of the attacks and make it difficult to identify suspicious activity. The phishing emails were extremely convincing, designed to resemble official communications from M365. Indicators of compromise (IoC) identified included specific user agent strings such as "axios/1.7.2", "axios/1.7.1", and "axios/1.6.8", as well as phishing domains such as "lsj.logentr[. ]com" and "okhyg.unsegin[.]com".

Mitigation and Security Strategies

To defend against this sophisticated threat, it is crucial to implement continuous log monitoring to identify suspicious login attempts using detected IoCs. It is also essential to perform a credential rotation for compromised accounts and ensure that multi-factor authentication (MFA) is enabled on all accounts, monitoring for any anomalies. Continuous employee training on phishing techniques is essential to help them recognize suspicious emails and avoid interacting with them. This AiTM campaign demonstrates the importance of an integrated approach to security, combining sophisticated technologies and careful end-user training to protect corporate infrastructures from increasingly advanced threats.

Follow us on WhatsApp for more pills like this

07/10/2024 09:31

Marco Verro

Last pills

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report

AT&T: data breach discovered that exposes communications of millions of usersDigital security compromised: learn how a recent AT&T data breach affected millions of users

New critical vulnerability discovered in OpenSSH: remote code execution riskFind out how a race condition in recent versions of OpenSSH puts system security at risk: details, impacts and solutions to implement immediately

Cybersecurity in crisis: consequences of the mega data theft in a Chinese travel agencyMassive travel data theft uncovered: How hackers breached the defenses of a popular Chinese travel agency, possible legal repercussions, and future defense strategies