Skip to content

What is an Adversary-in-the-Middle Phishing Attack?

Email phishing has been a common threat for many years now. But there are many different types of email phishing scams, some more advanced than others and one which we’ve recently seen an increase in: adversary-in-the-middle (AiTM) phishing attacks, also known as a man-in-the-middle attack. In this blog post we’ll explain what it is and how your business can avoid it.  
What is an Adversary-in-the-Middle Phishing Attack? 
An AiTM attack is when a bad actor intercepts and modifies communications between two parties to steal sensitive information, such as financial data or login credentials. As always is the case in email phishing threats, the hacker initiates communication via email.

Stolen or compromised credentials were the primary attack vector in 19% of data breaches in 2022. - IBM 

In July 2022, Microsoft reported that AiTM attacks targeting Microsoft 365 users were able to bypass Multi-factor Authentication (MFA) to steal session cookies and gain access to victims’ Office 365 accounts.  
How does it Work?  
Session cookies are cookies that temporarily store data during a web session. They are small text files that can be sent to your server every time you click on a new webpage which gives certain parties the ability to monitor your activity. In the illustration below you can see the flow of an AiTM attack.  

Microsoft aitmWhat we’ve seen among our Microsoft 365 users is the attackers ask them to open a SharePoint file shared with them from what on a surface-level appears to be a legitimate source. The file link takes them to a different domain and if the user clicks on the “view document” link, they are then directed to a false Office 365 login page which prompts them for credentials. When the user enters their credentials, including their MFA code, the attackers have immediate access to their credentials.  

What is particularly significant about the attacks targeting Microsoft 365 users is that the bad actors can bypass several types of MFA. The cybercriminal uses a proxy server to communicate with Microsoft and host a fake login page. When the victim enters their login info, it will then steal the session cookie to provide false authentication, allowing the attacker to bypass forms of MFA, like the six-digit time-based one-time password.  

How to Protect your Business from AiTM Attacks? 

Common defense practices used against all phishing attacks can help protect your business from AiTM attacks. Employees need to be vigilant of any email where the sender urges the user to click on a link or log into an account, even if the sender claims to be a trusted individual. If one isn’t expecting a file, ignore the request. We always recommend adopting a multi-layered approach to cybersecurity; a strategy that combines user education and security technology. Here’s the most important security measures your business can adopt to prevent a successful AiTM incident: 

  • Cybersecurity awareness training 
  • Pushed-based MFA - Number Matching Microsoft Authentication (now being forced beginning in May 2023) 
  • Complement MFA with conditional access policies 
  • Partner with a Managed Service Provider (MSP): MSPs can provide your business with advanced monitoring, automatic blocking of malicious websites and alerting 

If you’re concerned about email phishing or any aspect of your cybersecurity at your business - talk to us.   

We are local!