Attackers were observed using an adversary-in-the-middle (AiTM) campaign that lets them leverage a phishing-as-a-service (PhaaS) platform to intercept user credentials and session cookies on Microsoft 365 accounts.
Trustwave researchers tied the campaign to a PhaaS platform called Rockstar 2FA — an updated version of the DadSec/Phoenix kit that Microsoft tracks as Storm-1575, the researchers said in a Nov. 25 blog post.
The DadSec PhaaS was responsible for some of the highest volumes of phishing campaigns in 2023, according to the Trustwave researchers. The latest round under Rockstar 2FA increased in activity this past August and has been active for the past several months.
Now that more organizations use multi-factor authentication (MFA), attackers have shifted to AiTM attacks that proxy a victim's credentials to the legitimate site, triggering the MFA prompt, explained Tyler Hudak, director of incident response at Inversion6.
“Once the victim authenticates, the token or cookie gets sent back to the AiTM site, enabling the attacker to log-in as the victim,” said Hudak. “This technique lets the attacker obtain access to the victim’s account without having to worry about the type or method of MFA used. AiTM attacks are extremely common. In my experience as an incident responder, the vast majority of successful phishing attacks I have investigated used AiTM during their attacks.”
Itzik Alvas, co-founder and CEO at Entro Security, explained that while phishing attacks were often manual in the past, modern attackers leverage automation to rapidly stand up complex infrastructures and create AiTM platforms that are resold over the dark web.
“These sophisticated attack platforms use AI to personalize messaging, as well as machine learning to serve decoy pages to security vendors that scan their sites — allowing them to remain undetected for prolonged periods,” said Alvas. “Once attackers compromise a user's credentials, they swiftly move laterally through their target environment and wreak havoc by compromising additional non-human identities associated with their victim, such as personal access tokens with access to sensitive data.”
Patrick Tiquet, vice president, security and architecture at Keeper Security, said AiTM attacks with platforms like Rockstar 2FA have become more common in PhaaS campaigns. While not all PhaaS offerings focus on AiTM techniques, Tiquet the inclusion of features like session cookie harvesting and MFA bypass in this platform highlights how phishing methods continue to become more sophisticated.
“Security teams should take note, as these attacks demonstrate how protections like MFA can be circumvented if not part of a layered defense,” said Tiquet. “Tools that help enforce strong password policies, provide secure management of credentials and offer visibility into login activity are critical in addressing these threats.”
