AiTM attack refers to "Adversary-in-The-Middle" phishing technique where attackers intercept communication between a user and a legitimate website, stealing passwords and session cookies to gain unauthorized access and perform fraudulent activities.
As part of the "From cookie theft to BEC" attack, the attacker initiates the process by sending phishing emails to the target. Upon clicking a link in the email, the user is directed to a fake website. At this point, the attackers establish a proxy server between the target user and the intended website. This setup allows the attacker to intercept and capture the user's password and session cookie, providing them with the means to authenticate and access the user's session on the website. After successfully authenticating, for example, to Outlook, they can read email content or create a forwarding rule to identify the target of the fraud. Once they have identified the target, they take action to initiate multiple fraud attempts.
Figure 1. AiTM attack kill chain, MS security blog, July 12, 2022
As there are tools available on the internet, attackers utilize them for conducting AiTM attacks.
At this time, based on third-party research, attackers are targeting enterprise users of Gmail or Outlook with emails related to password reset, password expiry, voice message logs, and accessing office-related and other content.
As the attacker aims to successfully lure the target to a phishing site and avoid detection by mail security, they primarily rely on two attack techniques, as follows.
- Type Ⅰ : HTML file attachment
- Type Ⅱ : Phishing link
- Type Ⅲ : Open Redirect
Based on research conducted by third parties, Type Ⅰ has been observed that attackers commonly employ the technique of window.location.replace() to redirect users to phishing sites.
HTML attachment with URL redirection | Zscaler, AiTM report
e.g.
| Language | Code |
|---|---|
| JavaScript | window.location.replace("hxxps://example.com") |
| JavaScript | window.location.href = "hxxps://example.com" |
| HTML | <meta http-equiv="refresh" content="7; url='hxxps://example.com'" /> |
| PHP | <?php header("Location: hxxps://example.com/"); exit; ?> |
Note
JavaScript : "replace()" is used for one-time, immediate page replacement without maintaining history, while setting the "href" property allows navigation to a new URL while preserving the ability to go back using the browser's history.
PHP : JavaScript handles client-side redirection within the browser, while PHP manages server-side redirection on the server before the response is sent to the client's browser.
Open Redirect ?
An open redirect is a vulnerability in a web application that allows attackers to redirect users to malicious websites by manipulating URL parameters. It occurs when the application fails to validate or restrict user-supplied input used for redirection. Attackers exploit this vulnerability for phishing or other malicious purposes.
PHP : http://example.com/example.php?url=http://malicious.example.comHTML : <a href="http://bank.example.com/redirect?url=http://attacker.example.net">Click here to log in</a>Reference - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Open Redirect pages, Zscaler, AiTM report
Base64
According to the Microsoft Security blog, attackers not only use URL redirection methods but also employ base64 encoding in JavaScript to encode the end-user's email address if it exists.
e.g. Microsoft observed that the redirector page used the following URL format:
hxxp://[username].[wildcard domain].[tld]/#[user email encoded in Base64]
| JavaScript | Memo |
|---|---|
| btoa() | Encodes a string in base-64 |
| atob() | Decode a base-64 encoded string |
Reference - Window btoa() / Window atob()
Source code of the HTML attachment, Microsoft, AiTM report
Summarized each phase of the AiTM attack. These queries will help in hunting potential AiTM/BEC activities.
- 13-kql-AiTM-HuntingInsight-Part1.pdf
- 13-kql-AiTM-HuntingInsight-Part2.pdf
- 13-kql-AiTM-HuntingInsight-Part3.pdf
- 13-kql-AiTM-HuntingInsight-Part4.pdf
- July 12, 2022, From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
- November 16, 2022, Token tactics: How to prevent, detect, and respond to cloud token theft
- March 13, 2023, DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
- June 8, 2023, Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
- Jul 31, 2023, AiTM & BEC threat hunting with KQL
- Sep 19, 2023, A day in the life of a Defender Experts for XDR analyst
- August 02, 2022, Large-Scale AiTM Attack targeting enterprise users of Microsoft email services (Zscaler)
- August 09, 2022, AitM Phishing Attack Targeting Enterprise Users of Gmail (Zscaler)
- November, 09, 2022, Trellix Insights: Large-Scale AiTM Attack Targeting Enterprise Users (Trellix)
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.