The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services were spotted targeting Google G Suite users.
In AiTM phishing, threat actors set up a proxy server between a target user and the website the user wishes to visit, which is the phishing site under the control of the attackers. The proxy server allows attackers to access the traffic and capture the target’s password and the session cookie.
Once obtained the credentials and session cookies to access users’ mailboxes, threat actors launched business email compromise (BEC) campaigns against other targets. Microsoft experts believe that the AiTM phishing campaign was used to target more than 10,000 organizations since September 2021.
The researchers pointed out the Gmail AiTM phishing campaign had a much lower volume of targets compared to the Microsoft AiTM phishing attack.
The attack chain starts with emails containing a malicious link. This link leverages multiple levels of redirection and abuses Open Redirect pages to redirect the users to Gmail phishing domain.
The phishing messages impersonated Google and pretended to be password-expiry reminder emails urging recipients to click the link to “Extend their access.”
Threat actors also performed a fingerprinting on the client to determine whether it is a real user or an automated analysis system.
