A new adversary in the middle phishing campaign bypasses multi factor authentication by intercepting session cookies from enterprise cloud services.
How the Attack Works
Attackers are deploying adversary in the middle (AiTM) phishing pages to intercept credentials and session cookies for major enterprise platforms. This technique allows them to bypass multi factor authentication (MFA) protections by placing a proxy between the target and the legitimate service. When the user authenticates with their real password and MFA code, the attacker captures that session token in real time.
Impact and Scope
The campaign specifically targets SharePoint, HubSpot, and Google Workspace accounts. Once attackers obtain a valid session cookie, they can access emails, documents, and customer data without needing to log in again. This type of attack poses a significant risk to organizations that rely on these platforms for daily operations. No specific CVEs are associated with this attack pattern, as it exploits the core authentication flow rather than a software vulnerability.
Mitigation Recommendations
Organizations should enforce phishing resistant MFA methods such as FIDO2 hardware security keys or certificate based authentication. Security teams should also monitor for unusual login locations and device fingerprints. User awareness training on recognizing fake login pages remains a critical defense measure against these sophisticated phishing campaigns.
Source: Cyber Security News
