The latest AiTM phishing campaign uses real time session hijacking to bypass multi factor authentication on three major cloud platforms.
Attack Mechanism
A new campaign is exploiting adversary in the middle (AiTM) phishing techniques to target users of Google Workspace, HubSpot, and SharePoint. Attackers deploy malicious pages that intercept authentication tokens in real time by acting as a proxy between the victim and the legitimate service. When a user enters their credentials, the phishing page captures the session cookie, allowing the attacker to bypass multi factor authentication protections.
This sophisticated approach does not require a zero day vulnerability in the targeted platforms themselves. Instead, it relies on tricking users into authenticating through a rogue page that mirrors the official login interface. The intercepted token remains valid until it expires or is manually revoked.
Impact and Scope
Organizations across multiple sectors face heightened risk from this campaign. The compromise of a single SharePoint, Google Workspace, or HubSpot account can give attackers access to internal documents, email communications, customer data, and project management workflows. If a privileged user is targeted, the breach could extend to additional connected services and downstream systems.
Security teams should review access logs for unusual authentication patterns, particularly logins from unexpected geographic locations or devices. While no specific CVEs are associated with the phishing technique itself, defenders should monitor for known AiTM toolkits like EvilGinx and Modlishka. Enforcing phishing resistant multi factor authentication methods, such as FIDO2 security keys, can mitigate this attack vector.
Source: Cyber Security News
