In classic martial arts movies, there鈥檚 always that one scene where the hero singlehandedly takes on a gang of oversized, overconfident goons. One by one, they come at him, and one by one, they hit the ground. Then, as all the bad guys are writhing in pain, a final challenger appears on screen鈥攈e鈥檚 small, quiet, and unassuming. Our hero smirks, preparing for another easy fight. And that鈥檚 when the real battle begins. But, as you might鈥檝e guessed, that little guy has the deadliest skills鈥攈e鈥檚 fast, ferocious, and unforgiving. By the time our hero realizes he needs a new strategy, it鈥檚 too late. That little guy you never saw coming was in full control the entire time.听
Adversary-in-the-Middle (AiTM) is that guy. While more infamous cyberattacks鈥攖hink ransomware or phishing鈥攁re the big thugs we鈥檙e all fixated on, AiTM lurks just off camera, silently intercepting your data, redirecting traffic, and hijacking sessions without drawing much attention. It鈥檚 often underestimated, but when it finally strikes, the damage can be brutal.
In an AiTM attack, an adversary sneaks in between you and whatever you鈥檙e trying to connect with鈥攂e it a website, an app, or a service. They intercept the information flowing back and forth, all while staying completely under the radar.
For instance, a common AiTM attack involves hijacking session tokens, those temporary identifiers that keep you logged into a site after you鈥檝e entered your username and password. Once a threat actor steals your token, they鈥檙e no longer just monitoring you鈥攖hey鈥檝e become you. In other words, they鈥檝e gained complete control over your session. And all the login credentials, financial transactions, and sensitive data that come with it.
Modern websites want to be easy to use. If they鈥檙e annoying to use, that鈥檚 bad for business. And bad for business means bad for the bottom line. But modern websites also need to authenticate their users and prevent unauthorized access. 鈥滶asy to use鈥 and 鈥渉ighly secure鈥 are often diametrically opposed.
To meet both goals, websites use an authentication system based on sessions. You log in once with your username, password, and multi-factor authentication (MFA) code. In return, the site authenticates you and provides you with a token to store in your browser. This token is used in lieu of your username, password, and MFA code. For a time period after the first authentication, the token will allow you to access resources without inputting your credentials over and over.
(Psst! We did a episode exploring how identity attacks work. Check it out.)
Here鈥檚 the problem: if that token falls into the wrong hands, it allows the user who found or stole it to authenticate themselves as the original user. A token is a whole set of credentials wrapped up into one package. So, while tokens are generated after multiple factors are used, the token itself is single-factor authentication.
Exploitation of this system is simple. Steal that token, and you become that user鈥攏o username, password, or MFA required.
Token theft tactics can be classified into two types: active and passive. Active token theft occurs when a hacker directly interacts with a victim to steal their token. In contrast, passive token theft involves obtaining tokens by scouring data breaches, credential dumps, or shady forums. Internally at 杏吧传媒, we refer to these methods as "pickpocketing" for active theft and "dumpster diving" for passive theft.
Active token theft includes AiTM attacks, where an attacker deceives a victim into authenticating through a transparent proxy that relays the authentication process to the legitimate Microsoft 365 service. Evilginx is the best-known AiTM toolkit, but many Phishing-as-a-Service (PhaaS) platforms, such as NakedPages and Evilproxy, carry out similar attacks daily against small and medium-sized businesses (SMBs).
Let鈥檚 do a little experiment. Take a look at Figures 3 and 4. The two images are screenshots of Microsoft 365 login pages. Can you tell which is an AiTM page and which is legitimate?
Sorry, it's a trick question: there isn鈥檛 enough information to tell because you can鈥檛 see the URL in either of those screenshots.听
AiTM pages are generally indistinguishable from the legitimate website鈥檚 login page. This is because an AiTM site isn鈥檛 a clone or copy of the actual login page. When a victim clicks on a link and lands on an AiTM site page, they鈥檙e brought to an attacker-controlled proxy. The proxy brokers the login transaction between the victim and the legitimate login page. When the victim completes the authentication, the attacker can see their username, password, and session token in plain text. This means that the victim is seeing the real login page of the service, but their entire interaction is proxied through attacker-controlled infrastructure.
AiTM attacks aren鈥檛 universally effective against all types of MFA. There is such a thing as , which will prevent token reuse by binding a session to a physical device. However, the adoption rate for phishing-resistant MFA is low, especially in the SMB.听
Awareness is critical for all other identities that use non-phishing-resistant MFA. Be politely suspicious of links, and if you think you鈥檝e fallen victim to a token theft attack, inform someone who can invalidate your session and rotate your credentials immediately.
AiTM attacks are prevalent, but fear not because they鈥檙e also preventable. One of the best ways to protect yourself from AiTM attacks is through a layered security approach. Having protection tools like endpoint detection and response (EDR) and identity threat detection and response (ITDR) are incredibly helpful in catching these attacks after a threat actor has snuck in. But why let them get that far in the first place? You can also mitigate your risk before they gain initial access with a robust security awareness training (SAT) program.
Since the 杏吧传媒 Security Operations Center (SOC) has seen so many AiTM attacks, it鈥檚 clearly an important topic. That鈥檚 why we鈥檙e making sure our partners and customers can train their end users to identify and prevent AiTM from happening in the first place. With that said, we鈥檙e happy to share the release of our newest 杏吧传媒 Managed SAT episode: Adversary in the Middle.
In this episode, Bot-Head is scheming to attend Curriculaville Comic-Con with an epic Mech suit. But there鈥檚 one big problem鈥攈er wages from Major鈥檚 Fried Chicken just aren鈥檛 enough to cover that pricey costume. So, she plans an AiTM attack on Cannoli Bros. Construction to score stolen credentials and solicit money from their customers.
By following Bot-Head鈥檚 scheme, you and your learners will get to know more about AiTM tactics, how to spot them, and, most importantly, what to do when a real attack comes knocking.
The most dangerous threats aren鈥檛 the loudest or biggest. They鈥檙e the ones you didn鈥檛 even see coming. AiTM may not have the reputation of more notorious threats like ransomware or phishing, but their stealth is what makes them so scary. Adversaries quietly slide between you and another party, leaving you vulnerable before you even know something鈥檚 gone wrong.
But you don鈥檛 have to be vulnerable. 杏吧传媒 has your back. We鈥檙e all about helping you stay one step ahead, and that means giving you the tools, knowledge, and insights to spot and stop these sneaky attacks before they get too close. We want this to be about more than just defense. It鈥檚 about helping you take the power back from the craftiest threat actors.听 听
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
