The AiTM phishing method captures both passwords and session cookies in real time, allowing attackers to bypass multi factor authentication on enterprise cloud platforms.
Infection Vector and Attack Flow
Attackers are running an advanced phishing campaign that uses adversary in the middle (AiTM) techniques to bypass multi factor authentication. The attack begins with a targeted email that appears to come from a trusted source. The message contains a link to a fake login page that mirrors the real authentication portal for services like SharePoint, HubSpot, and Google Workspace. When the victim enters their credentials and the one time passcode from their authenticator app, the AiTM proxy captures both pieces of information in real time.
Impact and Scope
This AiTM approach allows the attackers to steal active session cookies immediately after authentication. With these cookies, they can access the victim’s cloud accounts without needing to log in again, even if the password is changed later. The campaign is particularly dangerous because it targets business critical platforms used for document storage, customer relationship management, and email. Any organization using these services without additional session verification is at risk of data theft, email compromise, and lateral movement within their environment. No specific CVEs are currently linked to this campaign type.
Defensive Recommendations
Organizations should deploy phishing resistant multi factor authentication methods, such as FIDO2 security keys or certificate based authentication, which cannot be intercepted by AiTM proxies. Security teams must also enforce strict conditional access policies that flag suspicious login attempts based on geographic location and device profile. User awareness training should include recognition of near perfect replica login pages and encourage employees to verify URLs carefully before entering credentials.
Source: Cyber Security News
