Discovery of an AiTM attack campaign on Microsoft 365
A detailed exploration of AiTM attack techniques and mitigation strategies to protect Microsoft 365 from advanced compromises
In July 2024, the Field Effect security team discovered “Adversary-in-the-Middle” (AiTM) attacks against Microsoft 365, using Axios to steal user credentials, including MFA codes, via phishing. Monitoring, credential rotation and anti-phishing training are recommended.
In July 2024, the Field Effect security team identified a sophisticated attack campaign called “Adversary-in-the-Middle” (AiTM), targeting Microsoft 365 (M365). This insidious method leverages advanced Business Email Compromise (BEC) techniques, exploiting the ability to intercept and redirect user credentials during the authentication phase. Analyzing these activities revealed suspicious use of the user agent string "axios/1.7.2", associated with login attempts via Internet Service Providers (ISPs) known to host malicious activity. Used in the compromise chain is Axios, a legitimate HTTP client for browsers and node.js, which attackers manipulated to mimic legitimate login requests, transforming and deleting HTTP requests and responses to their advantage, thus enabling credential theft of users.
Interception and credential collection techniques
AiTM attacks mainly exploit phishing. Target users receive perfectly simulated phishing emails to trick them into visiting malicious domains. These domains host M365 login pages, built using Axios to closely replicate the look and feel of the original login pages. When the user enters credentials on these fake pages, Axios intercepts them and immediately uses them to authenticate to the real M365 page in real time. A particularly concerning aspect of this campaign is the compromise of multi-factor authentication (MFA) measures, managing not only to obtain passwords, but also MFA codes, allowing attackers to make unauthorized access to victims' accounts.
Speculative techniques and indicators of compromise
To evade detection systems, attackers used Axios to craft HTTP requests that exactly mimicked those of legitimate users. This ploy allowed them to intercept credentials without arousing suspicion, thanks to the real-time capture of the information entered. Additionally, ISPs known for malicious activity, such as Hostinger International Limited and Global Internet Solutions LLC, were used to disguise the source of the attacks and make it difficult to identify suspicious activity. The phishing emails were extremely convincing, designed to resemble official communications from M365. Indicators of compromise (IoC) identified included specific user agent strings such as "axios/1.7.2", "axios/1.7.1", and "axios/1.6.8", as well as phishing domains such as "lsj.logentr[. ]com" and "okhyg.unsegin[.]com".
Mitigation and Security Strategies
To defend against this sophisticated threat, it is crucial to implement continuous log monitoring to identify suspicious login attempts using detected IoCs. It is also essential to perform a credential rotation for compromised accounts and ensure that multi-factor authentication (MFA) is enabled on all accounts, monitoring for any anomalies. Continuous employee training on phishing techniques is essential to help them recognize suspicious emails and avoid interacting with them. This AiTM campaign demonstrates the importance of an integrated approach to security, combining sophisticated technologies and careful end-user training to protect corporate infrastructures from increasingly advanced threats.
Follow us on Google News for more pills like this07/10/2024 09:31
Marco Verro