Microsoft has warned customers about Adversary-in-the-Middle (AiTM) phishing kit available for sale on a popular cybercrime forum. The software is designed to make it easier for attackers to deploy phishing campaigns to target enterprise accounts.
According to the Microsoft Threat Intelligence team, this phishing kit is an open-source tool that is developed by a hacking group called DEV-1101. Last year, cybercriminals started selling the Adversary-in-the-Middle (AiTM) phishing kit for $300 for a standard version and VIP licenses for $1,000.
Microsoft explained that the tool provides various advanced features that support the deployment of phishing campaigns in enterprise environments. Specifically, it gives threat actors the ability to bypass multi-factor authentication (MFA). The security feature requires users to provide one or more forms of authentication to access a service. It makes it difficult for hackers to gain unauthorized access to users’ accounts.
Interestingly, the AiTM kit leverages different techniques to avoid detection. First up, it enables threat actors to insert a CAPTCHA into the phishing process, which lets humans access the final phishing page. There is also a feature that uses antibot functionality that triggers an href redirection to a benign page. It makes it easier to bypass blocklists maintained for malicious URLs.
“These attributes make the kit attractive to many different actors who have continually put it to use since it became available in May 2022. Actors using this kit have varying motivations and targeting and might target any industry or sector,” the Microsoft Threat Intelligence team explained.
Microsoft detailed several security measures that help organizations to block AiTM phishing attacks. The company suggests using certificate-based authentication (CBA), Microsoft Authenticator, FIDO2 security keys, and other methods to implement MFA in Azure AD.
Microsoft also recommends customers to use security defaults, continuous access evaluation, and use advanced anti-phishing solutions. Moreover, IT admins should continuously monitor suspicious activities to protect their users against AiTM attacks.