Numerous organizations worldwide have been subjected to a widespread business email compromise (BEC) campaign, employing adversary-in-the-middle (AitM) methods to carry out the attacks.

An adversary-in-the-middle (AitM) attack refers to a technique employed by cybercriminals to intercept and manipulate communication between two parties without their knowledge. In this attack, the attacker positions themselves between the sender and receiver, allowing them to eavesdrop on the communication and potentially alter or inject malicious content into it. By gaining this position of control, the attacker can exploit vulnerabilities, steal sensitive information, or carry out further attacks. 

In the documented attack chain by Sygnia, the attacker initiated the assault by sending a phishing email with a link to a supposed “shared document.” According to a report, the malicious actor obtained initial entry into an employee’s account after a successful phishing attempt, and conducted an “adversary-in-the-middle” attack to bypass Office365 authentication and maintain ongoing access to that account.

The link in the attack redirected the victim to an AitM phishing page designed to collect entered credentials and one-time passwords. To execute this scheme, the attacker gains control over an account through an intricate social engineering plan. Once in control, they send fake invoices to the company’s clients or suppliers, directing payments to a fraudulent bank account.

On account of the attack, furthermore it has been reported that the threat actors took advantage of the temporary access to the compromised account to register a new multi-factor authentication (MFA) device. This allowed them to establish a persistent remote foothold using a different IP address located in Australia. In addition to extracting sensitive data from the victim’s account, the attackers utilized this access to send new phishing emails to numerous employees within the victim’s organization, as well as to other targeted organizations. According to the researchers at Sygnia, the phishing emails spread in a manner reminiscent of a worm, moving from one targeted firm to another and infecting employees within the same company. The full extent of the campaign remains unknown at present.

Microsoft Defender Experts discovered a complex attack targeting banking and financial services organizations. It involved adversary-in-the-middle (AiTM) phishing and business email compromise (BEC), exploiting trusted vendor relationships for financial fraud across multiple organizations. The recent discovery of the attack documented by Sygnia comes within a week of Microsoft disclosing a similar attack strategy involving a combination of adversary-in-the-middle (AitM) phishing and business email compromise (BEC) targeting banking and financial services organizations.

BEC scams typically involve deceiving targets via email to send money or reveal confidential company information. The attacker often tailors the emails to appear personalized and may even impersonate a trusted individual to achieve their objectives. To prevent a BEC attack, following measures can be implemented –

1. MFA: Use Multi-Factor Authentication to add extra security layers and protect against password theft and spear phishing.
2. Education: Conduct awareness campaigns and training to empower employees to recognize and respond to BEC scams.
3. Password policy: Implement a strong password management policy to prevent password-related vulnerabilities.
4. Online information: Be cautious about sharing personal information online to limit attackers’ ability to create convincing spear-phishing content.
5. Phishing defense: Implement a system for reporting and investigating suspicious emails to swiftly respond to phishing attempts.