AiTM Phishing Attacks Over 10,000 Organizations to Hijack a User’s Sign-in Session

Earlier this week, Microsoft announced that over 10,000 organizations had been targeted in an extensive phishing campaign that began in September 2021. In this campaign, the hackers hijacked the MFA-enabled accounts by compromising the authentication process of Microsoft Office 365.

Using custom-designed fake landing pages, the threat actors have been able to hijack the Office 365 authentication process and gain access to user data.

Researchers at Microsoft have observed that phishing emails often redirect victims to landing pages that contain malicious content once the email has been opened. 

As a result, they have established a system in which HTML attachments have been implemented that act as gatekeepers to ensure targets are being received via redirected HTML pages.

There were various methods used in the intrusions, including phishing sites with adversary-in-the-middle (AitM) capabilities. An attacker in this case deploys a proxy server between a victim’s computer and the website they are attempting to attack. 

A targeted phishing email will be sent to recipients who will then be redirected to lookalike landing pages that will ask them for credential information and an MFA code.

Here’s what Microsoft stated:-

“The phishing page has two different Transport Layer Security (TLS) sessions—one with the target and another with the actual website the target wants to access. These sessions mean that the phishing page practically functions as an AiTM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, more importantly, session cookies.”

Toolkits used

Using open-source phishing toolkits and other online resources, it is possible to automate the AiTM phishing process at present time. There are a number of popular kits that are widely used, such as:- 

  • Evilginx2
  • Modlishka
  • Muraena

Data Compromised

A reverse proxy was used as a part of this campaign and the web servers on which they were hosted were used to host the phishing sites. 

Two separate TLS sessions were established between these servers and the legitimate website where the targets were seeking authentication.

As a result, the attacker’s phishing site served as a man-in-the-middle agent to relay information between them and the victim. It intercepts the authentication process from hijacked HTTP requests and takes advantage of that information in order to extract sensitive information.

Here below we have mentioned the sensitive data extracted by the threat actors:-

  • Passwords 
  • Session cookies


It is strongly recommended that you use phish-resistant multi-factor authentication implementations that support the following things in order to defend against these attacks:- 

  • Certificates-based authentication
  • Fast ID Online (FiDO) 2.0 

Other common recommendations offered by Microsoft:-

  • Always monitor for suspicious sign-in attempts
  • Make sure to monitor mailbox activities
  • Implement strict conditional access policies
  • Implement 2FA authentication
  • Must use a strong combination of password

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.