AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Discovery of an AiTM attack campaign on Microsoft 365

A detailed exploration of AiTM attack techniques and mitigation strategies to protect Microsoft 365 from advanced compromises

In July 2024, the Field Effect security team discovered “Adversary-in-the-Middle” (AiTM) attacks against Microsoft 365, using Axios to steal user credentials, including MFA codes, via phishing. Monitoring, credential rotation and anti-phishing training are recommended.

This pill is also available in Italian language

In July 2024, the Field Effect security team identified a sophisticated attack campaign called “Adversary-in-the-Middle” (AiTM), targeting Microsoft 365 (M365). This insidious method leverages advanced Business Email Compromise (BEC) techniques, exploiting the ability to intercept and redirect user credentials during the authentication phase. Analyzing these activities revealed suspicious use of the user agent string "axios/1.7.2", associated with login attempts via Internet Service Providers (ISPs) known to host malicious activity. Used in the compromise chain is Axios, a legitimate HTTP client for browsers and node.js, which attackers manipulated to mimic legitimate login requests, transforming and deleting HTTP requests and responses to their advantage, thus enabling credential theft of users.

Interception and credential collection techniques

AiTM attacks mainly exploit phishing. Target users receive perfectly simulated phishing emails to trick them into visiting malicious domains. These domains host M365 login pages, built using Axios to closely replicate the look and feel of the original login pages. When the user enters credentials on these fake pages, Axios intercepts them and immediately uses them to authenticate to the real M365 page in real time. A particularly concerning aspect of this campaign is the compromise of multi-factor authentication (MFA) measures, managing not only to obtain passwords, but also MFA codes, allowing attackers to make unauthorized access to victims' accounts.

Speculative techniques and indicators of compromise

To evade detection systems, attackers used Axios to craft HTTP requests that exactly mimicked those of legitimate users. This ploy allowed them to intercept credentials without arousing suspicion, thanks to the real-time capture of the information entered. Additionally, ISPs known for malicious activity, such as Hostinger International Limited and Global Internet Solutions LLC, were used to disguise the source of the attacks and make it difficult to identify suspicious activity. The phishing emails were extremely convincing, designed to resemble official communications from M365. Indicators of compromise (IoC) identified included specific user agent strings such as "axios/1.7.2", "axios/1.7.1", and "axios/1.6.8", as well as phishing domains such as "lsj.logentr[. ]com" and "okhyg.unsegin[.]com".

Mitigation and Security Strategies

To defend against this sophisticated threat, it is crucial to implement continuous log monitoring to identify suspicious login attempts using detected IoCs. It is also essential to perform a credential rotation for compromised accounts and ensure that multi-factor authentication (MFA) is enabled on all accounts, monitoring for any anomalies. Continuous employee training on phishing techniques is essential to help them recognize suspicious emails and avoid interacting with them. This AiTM campaign demonstrates the importance of an integrated approach to security, combining sophisticated technologies and careful end-user training to protect corporate infrastructures from increasingly advanced threats.

Follow us on Google News for more pills like this

07/10/2024 09:31

Marco Verro

Last pills

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon

Data breach: Fortinet faces new hack, 440GB of stolen informationFortinet under attack: hackers breach security and make information public. discover the details and the consequences for the privacy of involved users

Shocking cyber espionage discoveries: nation-state threatsHow state-of-state cyberwarfare is changing the game in the tech industry: Details and analysis of recent attacks

A new era for Flipper Zero with firmware 1.0Discover the revolutionary features of Flipper Zero firmware 1.0: performance improvements, JavaScript, and enhanced connectivity