What Is An Adversary-in-The-Middle Attack (AiTM)?

We’ve all heard of a Man in the Middle (MiTM) attack, and most of us will be familiar with the concept of a hacker sitting ‘in the middle’ of two parties who believe that they are communicating directly with each other. In this post we will be talking about Adversary in the Middle (AiTM) attacks which leverage the same tactics but is where a bad actor effectively mirrors the unsuspecting user’s behaviour and seeks to steal the credentials and the session cookies from the authentication part of the login process. Sneaky. This type of attack has been talked about a lot in the last few months and has been hailed by some commentators as the attack that can ‘bypass authentication’ or that can cheat MFA (Multi Factor Authentication). Of course, this all depends on the architecture of your MFA, as we will demonstrate.  

How Does Adversary in The Middle (AiTM) Work?

AiTM gained headlines in the cyber security press back in July of last year, when the Microsoft 365 Defender Research Team reported on a large-scale attack that was launched upon more than 10K organizations and targeted Office 365 users by spoofing the Office online authentication page.

The hackers were able to hijack users signed-in-session and totally skip the authentication process. This is done by deploying a web server that proxies’ requests from the user to the phishing site and back again. On the way, the adversary steals the authentication token from the real website. The only difference between the “fake” site and the real one is the URL – everything else remains the same. The adversary is just copying the information back and forth between the user and the real site. 

Phishing as a Service – Evilginx

You must hand it to them – AiTM is clever. Hackers are increasingly more sophisticated and anyone who works in cyber will be aware that it feels very much like a game of cat and mouse. As technology and the level and complexity of protection evolves, so too do the bad actors’ tactics and even their own apps, tools, and programs. Adversary in the Middle attacks can even be automated. There are open-source phishing toolkits available such as Gophish, Evilginx2, Modlishka and Muraena which practically provide ‘Phishing as a Service’. With this toolkit anyone can automate credential phishing. 

Adversary in the Middle Demonstration

Here at IDEE HQ, we like putting this stuff to the test. We got our hands on Evilginx and tried breaking through Microsoft Authenticator and then AuthN in our own penetration tests. There are two videos below, one which shows the attack on Microsoft Authenticator and the other with our very own AuthN MFA.

When up against Microsoft Authenticator, the attack is effective, and you can see how the token is stolen from the unsuspecting user and how the hacker can easily use this to login to the real site, having also captured the username and password of the user. It is all executed frighteningly quickly. 

In our second video, we tried it up against AuthN. You can watch the Evilginx server, the user’s browser, and the authentication process side-by-side, in real time. With AuthN, the attacker is unsuccessful in obtaining the username, the password or in collecting the session cookie, so cannot bypass the authentication process. 

Video – Evilginx vs. Microsoft Authenticator

‍

Video – Evilginx vs. AuthN by IDEE 

(Successful) Adversary in the Middle Attack, Step by Step:

1. The adversary (attacker) deploys a proxy server between a target (user) and a website.
2. The proxy server intercepts the user's login credentials (username and password) and session cookie. Session cookies are used to prove the state of a user session so that the user does not have to be authenticated at every new page they visit on the website.
3. The intercepted session cookie is injected into the adversary's browser to access the user's account without the need for authentication even when MFA is enabled. This is because the session cookies prove to the website (web server) that the user has already been authenticated and has an ongoing session on the website. As a result, no further authentication is required.

The Impact of a Successful Phishing Attack

As with all phishing attacks, the most significant impact is nearly always financial loss and reputation damage. This is not just via payment fraud or ransomware, but it can also be via disruption to business, fines for non-compliance, or additional impacts to insurance premiums. Phishing attacks cost businesses $4.91m on average in 2022 according to a report by IBM. In the case of the attacks highlighted by Microsoft, once the attackers gained access to email accounts, they embarked upon payment fraud campaigns tricking their targets into making illegitimate payments with fake invoices. Furthermore, the attackers were also able to hide their tracks. With full access to email, the attackers can add rules to hide their communications in archive folders and delete any original phishing emails too. The real account holder is oblivious.

Ultimately, with full access, the adversary can perform any task from inside the account. They can install malware (such as ransomware), sabotage systems, takeover accounts, or simply steal data, or intellectual property. 

How can organizations protect themselves from AiTM?

Most organizations believe that any MFA is protection enough, and we would agree that any MFA is better than none, however, businesses and service providers must start to recognize that not all MFA is equal. In fact, in a recent talk delivered at Black Hat World, it was revealed that experts believe around 90% to 95% of MFA can be phished around and bypassed. Therefore, it is important to acknowledge that not all MFA can protect against all types of credential phishing and password-based attacks. For full protection organizations should look for phish-proof MFA.

If you would like to speak to us about any of the issues discussed in this article, please feel to reach out to our MFA experts.