Project Hyphae

Phishing-as-a-Service (PhaaS) Rises: The Emergence of Adversary-in-the-Middle (AiTM) Attacks

Share This Post

In recent times, cybersecurity threats have become increasingly complex and multifaceted. One notable development is the rise of Phishing-as-a-Service (PhaaS) platforms, particularly those equipped with Adversary-in-the-Middle (AiTM) capabilities. Microsoft has issued warnings about these sophisticated attacks, emphasizing the need for organizations to adapt and upgrade their defense mechanisms.

The Evolution of Phishing Techniques

Traditional phishing efforts revolve around duping individuals into sharing sensitive information, often through misleading emails and fake websites. With the onset of multi-factor authentication (MFA) and other security enhancements, cybercriminals have sought innovative ways to continue their nefarious activities. This has given birth to AiTM techniques, which, combined with PhaaS, present a new set of challenges for cybersecurity professionals.

How AiTM Works

The AiTM mechanism operates on two principal methodologies:

  1. Reverse Proxy Servers: In this approach, a phishing page, acting as an intermediary, captures and relays the traffic between the user’s device and the legitimate website. In this covert process, cybercriminals can steal user credentials, two-factor authentication codes, and session cookies without the victim’s knowledge.
  2. Synchronous Relay Servers: This technique displays a duplicate sign-in page to the target. While it mirrors traditional phishing attempts, it’s more sophisticated, capturing session cookies in real-time.

The Driving Force Behind AiTM Attacks

The goal of AiTM-enabled PhaaS platforms is to bypass MFA. By stealing session cookies, threat actors gain access to privileged systems without needing to reauthenticate. As Microsoft pointed out, handling AiTM attacks isn’t just about recognizing and removing phishing emails. It demands the revocation of stolen session cookies, which is a different challenge altogether.

Cybercrime Groups Exploiting AiTM

Several cybercriminal groups have started to exploit these advanced phishing techniques. Microsoft recently highlighted the actions of two such groups:

  • Storm-1167: This group launched an AiTM phishing campaign targeting financial institutions, using trusted vendor relations to execute financial fraud. They cleverly added an SMS-based 2FA method to compromised accounts in order to evade detection.
  • Storm-1295: Known for creating the “Greatness” PhaaS platform, this group offers synchronous relay services to other attackers. Their platform targets Microsoft 365 business users, presenting them with highly authentic decoy pages to capture information.

The Road Ahead

The evolution of PhaaS platforms equipped with AiTM capabilities underscores the dynamic nature of cybersecurity threats. As cybercriminals leverage more intelligent tools, businesses must stay abreast of the latest threats and ensure their defenses are equipped to handle these new challenges.

In conclusion, as the PhaaS ecosystem grows and AiTM techniques become more prevalent, it’s imperative for organizations to not only be aware of these threats but to actively implement robust security measures.

Further Reading and Resources

For those seeking a deeper understanding of AiTM phishing and BEC campaigns, Microsoft has provided invaluable resources that delve into the intricacies of these threats and offer guidance on mitigation. We highly recommend reviewing the blog post from June 8, 2023, titled Detecting and mitigating a multi-stage AiTM phishing and BEC campaign. Furthermore, for organizations looking to fortify their defenses against token theft, Microsoft’s Token Theft Playbook offers a comprehensive guide on best practices and strategies.

Reach out to our incident response team for help

More To Explore

Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks Article Link: Requests via Facebook Messenger Lead to Hijacked Business Accounts Article Link:

Information Security News 9-11-2023

University of Michigan Requires Password Resets After Cyberattack Article Link: Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.