Phishing attacks are now incredibly common. This method of cybercrime can be very effective in data theft and doesn't require a huge amount of work at a base level. But phishing also comes in many forms, one of which being Adversary-in-the-Middle attacks. So, what are Adversary-in-the-Middle phishing attacks? And how can you steer clear of them?

What Are Adversary-in-the-Middle Attacks?

An Adversary-in-the-Middle (AiTM) phishing attack involves the theft of session cookies to steal private data and even bypass authentication layers.

You've likely heard of cookies before. Today, most sites that you click on will ask your permission to use cookies to tailor your online experience more closely. In short, cookies track your online activity to understand your habits. They are small text files of data that can be sent to your server every time you click on a new webpage, which therefore gives certain parties the ability to monitor your activity.

There are many kinds of cookies out there. Some are necessary, and some simply are not. AiTM attacks are concerned with session cookies. These are cookies that temporarily store user data during a web session. These cookies are immediately lost once you shut down your browser.

As is always the case with phishing, an AiTM phishing attack begins with the cybercriminal communicating with the target, usually via email. These scams also use malicious websites to steal data.

AiTM attacks have been a particularly pressing issue for Microsoft 365 users, with attackers contacting targets and asking them to log into their 365 accounts. The malicious actor will impersonate an official Microsoft address in this swindle, which is also typical in phishing attacks.

The goal here is not just to steal login information, but to bypass the victim's multi-factor authentication (MFA) or two-factor authentication (2FA) layer. These are security features used to verify an account login by requesting permission from a separate device or account, such as your smartphone or email.

The cybercriminal will also use a proxy server to communicate with Microsoft and host the phony 365 login page. This proxy allows the attacker to steal the session cookie and the victim's login information. When the victim enters their login info into the malicious site, it will then steal the session cookie to provide false authentication. This gives the attacker the ability to bypass the victim's 2FA or MFA request, giving them direct access to their account.

How to Protect Against AiTM Phishing Attacks

login page displayed on tablet

While an AiTM phishing attack differs from a typical phishing attack, you can still employ the same practices to avoid the former as you would the latter. This begins with any links provided within your emails.

If you receive an email from an allegedly trusted sender stating that you need to use the provided link to log into one of your online accounts, be cautious. This is a classic phishing trick and can be worryingly easy to miss, especially if the attacker uses persuasive or urgent language to convince you to log into an account as soon as possible.

So, if you receive an email that includes any kind of link, be sure you run it through a link-checking website before you click. On top of this, if the email states you need to log into an account, simply search for the login page on your browser and access your account there. This way, you can see if there are any issues you need to resolve on your account without clicking on any kind of provided link.

You should also avoid opening any attachments sent to you from an unfamiliar address, even if the sender claims to be a trusted individual. Malicious attachments can also be used in AiTM phishing attacks, so you need to be wary of what you open.

In short, if there's no real need to open the attachment, leave it alone.

If, on the other hand, you believe that you need to open the attachment, run some quick checks before doing so. You should take a look at the file type of the attachment to determine whether it should be deemed suspicious. For example, .pdf, .doc, zip, and .xls files are known to be used in malicious attachments, so be wary if a given attachment is one of these file types.

On top of this, check the context of the email. If the sender claims that the attachment contains a document, such as a bank statement, but the file has a .mp3 extension, you're likely dealing with a deceptive and potentially dangerous attachment, as an MP3 file wouldn't be used for a document.

PDF graphic image

Look at the sender address of any suspicious email you receive. Of course, every email address is unique, so an attacker cannot use an official company email address to communicate with you unless it's been hacked. In the case of phishing, scammers will often use email addresses that look somewhat similar to an organization's official address.

For example, if you receive an email from someone claiming Microsoft, but you notice that the address reads "micr0s0ft" instead of "Microsoft", you're dealing with a phishing scam. Criminals will also add an extra letter or number to an email address so that it looks very similar, but not identical, to the legitimate address.

You can even determine if a link is suspicious by looking at it. Malicious sites will often have links that look unusual. For example, if an email states that the provided link will send you to a Microsoft login page, but the URL states it is a completely different website, steer clear. Checking the domain of the website can be especially useful in avoiding phishing.

Lastly, if you receive an email from an allegedly official source that is littered with spelling and grammatical errors, you're likely dealing with a scammer. Official companies will often ensure that their emails are written correctly, whereas cybercriminals can sometimes be sloppy with their communications. So, if an email you've received is written very lazily, be cautious with how you proceed.

Be on Guard to Avoid AiTM Phishing Attacks

Phishing is hugely prevalent and is used to target both individuals and organizations, meaning no one is truly safe from this threat. So, to steer clear of AiTM phishing attacks, and phishing in general, consider the tips provided above to keep your data secure.