A recent Microsoft report describes an advanced phishing campaign that has successfully compromised accounts by stealing authentication tokens. This attack, based on Adversary-in-the-Middle (AiTM) techniques, represents a significant evolution from traditional phishing.
A Campaign Beyond Classic PhishingUnlike conventional attacks that only seek credentials (username and password), this campaign is designed to intercept complete authentication sessions. The ultimate goal is not the password, but the session token, which allows the attacker to access the account without needing to re-authenticate.
How Does the Attack Work?The report details a carefully orchestrated process in several stages:
1. Initial Social Engineering
The victim receives a convincing email simulating origin from a legitimate entity (company, service, or institution). This message includes a link to a fake page.
2. Malicious Proxy (AiTM)
Upon clicking, the victim is redirected to a site controlled by the attacker that acts as an intermediary between the user and the real service.
3. Legitimate Authentication... Intercepted
The victim enters their credentials and completes multi-factor authentication (MFA) without noticing any anomalies. The proxy transmits the information to the real service in real time.
4. Token Theft
Once authenticated, the system generates a valid session token. This token is captured by the attacker.
5. Persistent Access
With the token in hand, the attacker can access the account without needing credentials or MFA, maintaining access even if the password changes.
Why Is This Attack So Dangerous?This type of campaign presents several critical characteristics:
- Evades MFA: even with two-factor authentication enabled
- Silent Access: does not generate immediate alerts on many systems
- Persistence: access can be maintained until the token expires
- Difficult Detection: appears to be legitimate authentication
In essence, it breaks one of the current pillars of security: trust in MFA as sufficient protection.
Targets and ScopeAccording to Microsoft, these types of attacks typically target:
- Corporate users
- Accounts with access to sensitive data
- System administrators
- Cloud services and productivity platforms
The potential impact includes information theft, email access, lateral movement within the organization, and preparation for more complex attacks.
Indicators of CompromiseSome signs that may indicate an AiTM attack include:
- Logins from unusual locations or devices
- Suspicious activity immediately after authenticating
- Active tokens in multiple locations simultaneously
- Slightly altered login URLs
For Users:
- Carefully verify URLs before logging in
- Avoid clicking suspicious links in emails
- Use password managers (detect fake domains)
For Organizations:
- Implement phishing-resistant token-based authentication (like FIDO2)
- Monitor active sessions and revoke suspicious tokens
- Apply conditional access policies
- Train employees in phishing detection
This case demonstrates that attackers are evolving rapidly. It is no longer enough to protect passwords; now the target is active sessions and the authentication mechanisms themselves.
The Microsoft report emphasizes the need to adopt more robust approaches, such as passwordless authentication and anti-intermediary technologies.