Microsoft has warned users of a dangerous wave of AiTM phishing attacks that have already affected over 10,000 organizations. The attacks have been taking place since September 2021 and are stealing Office 365 user login credentials.

Attackers Are Able to Bypass Office365 MFA

By using adversary-in-the-middle (AiTM) phishing websites, malicious parties are able to bypass the multi-factor authentication (MFA) feature employed by Office365 users by creating a phony Office365 authentication page.

In this process, attackers aim to obtain the victim's session cookie via the deployment of a proxy server between the target and the website that is being spoofed.

Essentially, the attackers are intercepting Office365 sign-in sessions to steal login information. This is known as session hijacking. But things don't stop there.

AiTM Attacks Lead to BEC Attacks and Payment Fraud

criminal using phishing hook to steal from laptop

Once the attacker gains access to the victim's mailbox via the AiTM site, they can go on to carry out follow-on business email compromise (BEC) attacks. These scams involve the impersonation of high-level company staff in order to trick employees into carrying out actions that can cause harm to the organization.

This has led to multiple instances of payment fraud by accessing the target organization's private financial documents. Retrieving this data often leads to funds being wired to attacker-controlled accounts.

In a long post on the Microsoft Security Blog, the company claims that it has "detected multiple iterations of an AiTM phishing campaign that attempted to target more than 10,000 organizations since September 2021".

These Attacks Are Not Indicative of MFA Weakness

Though this attack is leveraging multi-factor authentication, it is not representative of any kind of ineffectiveness on the part of this security measure. Microsoft states in its blog post that this is because "AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses".

Because multi-factor authentication can be so protective, cybercriminals are developing ways to overcome it, which speaks more to the feature's success, rather than its caveats. So, this phishing campaign should NOT be seen as a reason to deactivate MFA on your accounts.

Phishing Is a Frighteningly Common Attack Method

Phishing is now a frighteningly common attack method online, with this particular AiTM campaign managing to affect thousands of unknowing parties. While it is not suggestive of an MFA weakness, it does show that cybercriminals are now developing new ways of overcoming such security measures.