3 of my last 5 business email compromise investigations have involved an Adversary in The Middle (AiTM) attack. Even the more security-aware people with bolstered Microsoft 365 (M365) configurations are coming up blank as to how their comprehensive MFA policies have been bypassed. It’s a technique we have been using in our Red Team engagements, typically to get access to client services. With many organisations moving to using M365 SSO for all connections, including VPNs, Citrix NetScaler and other remote access services, the impact of compromising cloud credentials such as Azure/Entra ID credentials can be devastating. In this post I'll show you at a high level how attackers carry out such an attack. The main focus here is to understand what artefacts we look for when investigating these types of attacks in a DFIR capacity. I'll also cover the steps you can take to increase your security to try and stop your team falling foul of them. TL;DR Adversary in the Middle and email phishing attacks are re-purposed to steal MFA tokens from target users. Links to reverse proxy servers that relay a legitimate Microsoft sign-in pages are sent, usually with obfuscated links embedded in an email message or attachment. The attacker will then try to manipulate gaps in the target network’s conditional access policies, allowing them to masquerade as the user and gain a foothold before securing further access. Commonly, this attack then progresses into a fraudulent attempt to steal money…Read More
Intercepting MFA. Phishing and Adversary in The Middle attacks
