Increasing number of M365 data breaches utilise AiTM phishing technique

The adversary-in-the-middle (AiTM) technique bypassing multifactor identification has become more prevalent in phishing for Microsoft 365 usernames and passwords. This article explains the process of phishing using the AiTM technique, identifying this type of fraud and effective protective measures.

Phishing process

Usernames and passwords are usually phished for using email messages containing important or interesting information and a request for the recipient to take action quickly. Criminals usually use user IDs they have previously acquired through data breaches to carry out their phishing campaigns, meaning that a phishing message may be sent from a familiar email address.

Typically, the email message will contain a link that directs the user to a phishing site. The presence of a link is often the only clue a user will have that the message is used for phishing, because phishing sites will display to the victim a page that looks like the genuine sign-in page. As the victim enters information on the phishing site, the information is transmitted through criminal servers to the actual sign-in portal, and the multifactor identification data requested by the portal are requested of the victim in the same chain. After this, the criminal has the use of a functional session cookie that they can use to sign in to the victim’s account.

After successful sign-in, the criminal will have use of the resources and applications of the Microsoft 365 account. The criminals search the victim’s email inbox for invoices and other confidential information. If the account is used to manage invoices or financial transactions, criminals can use the account in question for invoicing fraud, for example.

Hijacked accounts of interesting organisations may be bought and sold on various criminal forums. Email accounts may contain critical and sensitive information, which means that a data breach may also lead to this information being leaked.

Hijacked accounts are often also used for spreading new phishing messages to people in the victim’s address book. Separate bulk mailing software may be installed in the victim’s M365 environment for this purpose and used to send thousands of new phishing messages. If the email inbox contains confidential messages, criminals may copy parts of them and use them in their new phishing campaign. Phishing campaigns in Finland have utilised themes such as secure email, invoices or orders as the template for new phishing messages.

Once an email account is compromised, the criminals may set up forwarding rules for it, allowing them to read and monitor the email traffic on the account for several weeks without getting caught. The criminals may e.g. create a rule for the account to move incoming messages directly to the deleted or archived folder and mark them as read. Criminals use forwarding rules to hide notifications and queries about further invoicing fraud or phishing messages sent from the account from the user. The criminals may even answer queries prompted by the phishing messages sent from the compromised account and encourage victims to trust the message and open it.

How to protect organisations from AiTM phishing

Training and informing personnel are key in preventing various phishing attempts and fraud. As far as AiTM phishing is concerned, the attention of the user should be directed at links in messages, especially if the website that the link directs to requires the entering of identification information. The user should ensure that they are not on a phishing site, but the genuine service provider’s site. 

You can protect your organisation against AiTM phishing by adopting one of the following identification methods and determining it as the only identification method:

  • FIDO (Fast Identity Online) identification
  • Certificate-based sign-in
  • Passkey
  • Microsoft Hello for Business

Another great protective measure is to require the identification of the device signing in through an AD or Entra connection. If sign-in requires the user to either sign in using an identified device, from an identified location or after passing an anti-phishing identification process, the account is very difficult to compromise. This request is implemented using a Conditional Access policy.

The risk-based Token Protection policy for sign-in sessions is an example of an effective Conditional Access policy against AiTM phishing. The Token Protection Conditional Access policy ensures that a user account is only used on the device that the user originally used to sign in.

You should also consider adopting the following conditional policies to protect your organisation from phishing: