Freely subscribe to our NEWSLETTER

This week, Zscaler has released a new blog titled Large-scale AiTM attack targeting enterprise users of Microsoft email services which analyses a new strain of a large-scale phishing campaign, which uses adversary-in-the-middle (AiTM) techniques along with several evasion tactics.

Researchers at ThreatLabz observed an increase in the use of advanced phishing kits in a large-scale campaign. Through intelligence gathered from the Zscaler cloud, the team discovered several newly registered domains that are used in an active credential-stealing phishing campaign. This campaign stands out as it uses an AiTM attack technique capable of bypassing multi-factor authentication and is specifically designed to reach end users in enterprises that use Microsoft’s email services.

The key findings include:

• Corporate users of Microsoft’s email services are the main targets of this large-scale phishing campaign
• All these phishing attacks begin with an email sent to the victim with a malicious link
• The campaign is active at the time of blog publication and new phishing domains are registered almost every day by the threat actor
• In some cases, the business emails of executives were compromised using this phishing attack and later used to send further phishing emails as part of the same campaign
• Some of the key industry verticals such as FinTech, Lending, Insurance, Energy and Manufacturing in geographical regions such as the US, UK, New Zealand and Australia are targeted
• A custom proxy-based phishing kit capable of bypassing multi-factor authentication (MFA) is used in these attacks
• Various cloaking and browser fingerprinting techniques are leveraged by the threat actor to bypass automated URL analysis systems
• Numerous URL redirection methods are used to evade corporate email URL analysis solutions
• Legitimate online code editing services such as CodeSandbox and Glitch are abused to increase the shelf life of the campaign