AiTM phishing attacks: What to do when MFA is not enough

In today's digital age, businesses are increasingly reliant on technology and the internet to conduct their operations. With phishing attacks growing in sophistication, businesses must utilize advanced technology and tools to defend against such assaults. 

Untitled design (5)-1

AiTM Phishing attacks 


Phishing attacks remain a growing concern for organizations. In fact, according to an article from Microsoft, phishing is one of the most common techniques attackers use in their attempts to gain initial access to organizations. With phishing attacks, users are tricked into revealing sensitive information, such as passwords or personal identification numbers. In the ever-evolving world of technology, advanced threats like Adversary-in-the-middle (AiTM) are now posing an even greater risk to businesses. However, with the use of Microsoft Technology, businesses can better defend against these advanced attacks.


How AiTM phishing attacks work


AiTM phishing allows attackers to intercept communications between two parties, such as a user and a legitimate website, to steal sensitive information. Here's how AiTM phishing attacks work:

  1. The user accesses the target website by typing in the website's URL or clicking on a link to the website through a phishing email.

  2. The attacker then intercepts the user's request and sends it to a phishing website that looks identical to the legitimate website but is actually controlled by the attacker.

  3. The user is then redirected to the phishing website, which prompts the user to enter sensitive information such as login credentials. 

  4. The attacker is then able to capture the user's information as it is entered on the phishing website. Additionally, the attacker obtains the session cookie issued by Microsoft allowing them to ultimately bypass multi factor authentication (MFA).

  5. With the stolen information, the attacker can then access the user's account for a variety of malicious purposes, such as identity theft, financial fraud, or espionage. 

 This graphic from Microsoft illustrates this process:

how AiTM phishing intercepts the authentication process


Defending against phishing attacks with Microsoft


By utilizing Microsoft’s wide range of tools and technologies, such as Microsoft 365 Defender, organizations can better protect themselves against AiTM/MFA phishing attacks. Here are some effective ways to protect against these advanced phishing attacks using Microsoft technology: 


Use Multi-Factor Authentication (MFA) 


Don't discount MFA! While AiTM phishing attacks have devised a way to bypass MFA, it is still considered one of the most effective ways to protect against traditional phishing attacks. When organizations enable MFA, it makes it much more difficult for attackers to gain access to sensitive information, even if they have obtained a user’s password. This is because MFA requires users to provide more than one form of authentication, such as a password and a one-time code sent to their phone, to gain access to an account.


Microsoft provides a range of MFA technologies, such as Azure Multi-Factor Authentication and Microsoft Authenticator, which can be used to secure both personal and corporate accounts. According to Microsoft, organizations can support their MFA implementation to be resistant to phishing by utilizing solutions such as Windows Hello for Business that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.



 Implement Conditional Access policies 


GitHub describes Conditional Access policies as if-then statements, if a user wants to access a resource, then they must complete an action. Conditional Access policies are an important component to building an organization's defense against AiTM phishing attacks because they allow administrators to set policies that control access to resources based on certain criteria, such as the user's location or the type of device they are using.  With Azure AD Conditional Access organizations can ensure access to sensitive resources is only granted to users who meet very specific criteria, making it much more difficult for attackers to bypass MFA authentication mechanisms. 


Use Advanced Threat Protection 


Microsoft's Advanced Threat Protection (ATP) provides a range of tools and technologies to help organizations protect against advanced persistent threats. As defined by Nakivo, "ATP is a cloud-based filtering service for cyberthreat prevention and detection that uses machine learning algorithms to detect and respond to threats in real-time, including phishing attacks."


In addition, the ATP tool also protects organizations against other threats, such as ransomware and zero-day attacks. ATP’s ability to integrate with Microsoft 365 services such as OneDrive, SharePoint Online, and Exchange Online make it an essential tool for organizations that are looking to protect against these advanced threats.


Educate Users on Phishing Awareness 


Education is a key component to defending against these threats. Users within an organization need to be educated on how to recognize phishing attacks, in addition to being made aware of the importance of using security technologies and MFA. Thanks to Microsoft’s range of training materials and resources, organizations can help to educate their users.


The Microsoft Security Awareness Toolkit is one such resource. This toolkit provides organizations with quick and convenient training materials such as videos, interactive courses, posters, and infographics to help educate and empower their employees.


 Although AiTM phishing attacks are not a new threat to organizations, attackers are evolving rapidly, requiring advanced tools and technologies to protect against them. Using Microsoft's MFA technologies, Conditional Access Policies, Advanced Threat Protection, and educating organization users on phishing awareness, can significantly reduce the risk of falling victim to these advanced phishing attacks.

If you would like assistance in ensuring your company's data is protected, please contact us and we would be happy to help.


Subscribe Here For Our Blogs:

Recent Posts


see all