Jump to content

Large-Scale AiTM Attack targeting enterprise users of Microsoft email


Recommended Posts

Large-Scale AiTM Attack targeting enterprise users of Microsoft email services

ThreatLabz has discovered a new strain of a large-scale phishing campaign, which uses adversary-in-the-middle (AiTM) techniques along with several evasion tactics. Similar AiTM phishing techniques were used in another phishing campaign described by Microsoft recently here

In June 2022, researchers at ThreatLabz observed an increase in the use of advanced phishing kits in a large-scale campaign. Through intelligence gathered from the Zscaler cloud, we discovered several newly registered domains that are used in an active credential-stealing phishing campaign.

This campaign stands out from other commonly seen phishing attacks in several ways. It uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication. There are multiple evasion techniques used in various stages of the attack designed to bypass conventional email security and network security solutions.

The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services. Business email compromise (BEC) continues to be an ever-present threat to organizations and this campaign further highlights the need to protect against such attacks.

In this blog, we describe details of the tactics, techniques and procedures (TTPs) involved in the campaign.

Since the campaign is active at the time of blog publication, the list of indicators of compromise (IOCs) included at the end of the blog should not be considered an exhaustive list.


Key points

  • Corporate users of Microsoft's email services are the main targets of this large-scale phishing campaign.
  • All these phishing attacks begin with an email sent to the victim with a malicious link.
  • The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor.
  • In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign.
  • Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the US, UK, New Zealand and Australia are targeted.
  • A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks.
  • Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems.
  • Numerous URL redirection methods are used to evade corporate email URL analysis solutions.
  • Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign.

Phishing campaign overview

Beginning in June 2022, ThreatLabz observed a sharp increase in advanced phishing attacks targeting specific industries and geographies.

We identified several newly registered domains set up by the threat actor to target Microsoft mail services' users.

Based on our cloud data telemetry, the majority of the targeted organizations were in the FinTech, Lending, Finance, Insurance, Accounting, Energy and Federal Credit Union industries. This is not an exhaustive list of industry verticals targeted.

A majority of the targeted organizations were located in the United States, United Kingdom, New Zealand, and Australia.

After analyzing the large volume of domains used in this campaign, we identified some interesting domain name patterns which we highlight below.


Domains spoofing Federal Credit Unions

Some of the attacker-registered domains were typosquatted versions of legit Federal Credit Unions in the US.

Attacker-registered domain name

Legit Federal Credit Union domain name











Note: Per our analysis of the original emails using the Federal Credit Union theme, we observed an interesting pattern. These emails originated from the email addresses of the chief executives of the respective Federal Credit Union organizations. This indicates that the threat actor might have compromised the corporate emails of chief executives of these organizations using this phishing attack and later used these compromised business emails to send further phishing emails as part of the same campaign.


Domains spoofing password reset theme

Some of the domain names used keywords related to "password reset" and "password expiry" reminders. This might indicate that the theme of the corresponding phishing emails was also related to password reset reminders.





It is important to note that there are several other domains involved in this active campaign, some of them are completely randomized while others do not conform to any specific pattern.


For More info go to the Source: HERE

  • Like 2
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.