Security News > 2023 > March > Massive adversary-in-the-middle phishing campaign bypasses MFA and mimics Microsoft Office
New research from Microsoft's Threat Intelligence team exposed the activities of a threat actor named DEV-1101, which started advertising for an open-source phishing kit to deploy an adversary-in-the-middle campaign.
According to Microsoft, the threat actor described the kit as a phishing application with "Reverse-proxy capabilities, automated setup, detection evasion through an antibot database, management of phishing activity through Telegram bots, and a wide range of ready-made phishing pages mimicking services such as Microsoft Office or Outlook."
An AitM campaign is more difficult to detect than other types of phishing attacks because it doesn't rely on a spoofed email or website.
If the user has provided the phishing page with their credentials and enabled multi-factor authentication to log in to their real account, the phishing kit stays in function to activate its MFA bypass capabilities.
The phishing kit logs in to the legitimate service using the stolen credentials, then forwards the MFA request to the user, who provides it.
Microsoft has observed millions of phishing emails sent every day by attackers using this kit, but its diffusion might be even larger.
News URL
Related news
- Microsoft Office 2024 now available for Windows and macOS users (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Why Phishing-Resistant MFA Is No Longer Optional: The Hidden Risks of Legacy MFA (source)
- Microsoft Entra "security defaults" to make MFA setup mandatory (source)