cofense2022stg.wpengine.com Open in urlscan Pro
34.74.117.101  Public Scan

URL: https://cofense2022stg.wpengine.com/blog/cofense-intelligence-strategic-analysis-2/
Submission: On May 10 via api from TR — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

 * Blog
 * Customer Resource Center
 * Contact Support
 * Contact Us

Menu
 * Blog
 * Customer Resource Center
 * Contact Support
 * Contact Us

 * Stop Threats
   
   End-to-End Email Security
   
   Defend your organization with a complete email security solution designed to
   identify, protect, detect & respond to threats.
   
   Security Awareness Training
   
   Condition your workforce against today’s latest threats and transform them
   into your front line of defense.
   
   Global Intelligence Network
   
   Protect your organization with our deep analysis into the current threat
   landscape and emerging trends.
   
   Cofense vs. The Competition
   
   See why the Cofense Intelligent Email Security suite stands out against the
   competition 
   
   Business Email Compromise (BEC)
   
   BEC amounts to an estimated $500 billion-plus annually that’s lost to fraud.
   Ensure your business is protected.
   
   Ransomware & Malware
   
   Phishing is the #1 attack vector for ransomware attacks. Stop phishing
   attacks in their tracks.
   
   Credential Theft
   
   Protect your user’s credentials and avoid a widespread, malicious attack.

 * Solutions
   
   Email Security for the Enterprise
   
   Complete threat protection, detection and response tailored for enterprise
   businesses.
   
   Email Security for the Mid Market
   
   Security awareness training + email security protection purpose-built for
   your mid-market organizations.
   
   Email Security for Managed Service Providers (MSPs)
   
   Best-in-Class Phishing Protection and Simulations designed for MSPs, from the
   ground up.
   
   Managed Email Security Solutions
   
   Protect your organization from attacks with managed services from the Cofense
   Phishing Defense Center™.
   
   Detect and Stop Attacks
   
   Automatically identify and quarantine email threats across your organization
   in minutes.
   
   Analyze & Remediate Reported Threats
   
   Accelerate threat detection and response, empowering fast resolution.
   
   Actionable Insight into Emerging Threats
   
   Protect your organization with our deep analysis into the current threat
   landscape and emerging trends.
   
   Security Awareness Training
   
   Condition your workforce against today’s latest threats and transform them
   into your front line of defense.
   
   Security Awareness Training + Threat Protection
   
   Growing companies can get protection, realistic simulations and security
   awareness training all in one platform.
   
   Easily Report Suspected Threats
   
   Report suspicious threats with just one click.
   
   Empower Your Team
   
   Train employees through an with award-winning Learning Management System.

 * Clients
   
   Industries We Serve
   
   Businesses from all industries rely on Cofense to safeguard their teams.
   
   What Our Customers Say
   
   Global organizations trust Cofense to protect their most critical assets.

 * Resources
   
   Knowledge Center Hub
   
   Check out our resource library of solution content, whitepapers, videos and
   more.
   
   Events & Webinars
   
   Come see us at a local event or join us at an upcoming webinar.
   
   Blog
   
   Stay current on cybersecurity trends, market insights and Cofense news.
   
   Check Your SEG
   
   See the real threats that are currently evading your Secure Email Gateway
   (SEG).

 * About
   
   About Cofense
   
   Cofense stops email security threats and protects your company through our
   network of 35+ Million human reporters.
   
   News Center
   
   See the latest articles, press releases and more in our news center.
   
   Awards
   
   It’s an honor to be recognized in the cybersecurity market. Check out our
   recent awards.
   
   Partners
   
   Grow your business, drive new revenue streams, and improve your competitive
   posture through our Partner Program.
   
   Careers
   
   We’re looking for passionate people to join us in our mission to stop all
   email security threats for organizations around the globe.
   
   Management Team
   
   Get to know our management team.

X

Get a Demo



MAN-IN-THE-MIDDLE (MITM) ATTACKS REACHING INBOXES INCREASE 35% SINCE 2022


MITM PHISHING GROWS, USING REAL LOGIN PROCESS TO STEAL CREDENTIALS

 * May 9, 2023

Home » Blog » Man-in-the-Middle (MitM) attacks reaching inboxes increase 35%
since 2022

Share Now

Facebook
Twitter
LinkedIn

A man-in-the-middle (MitM) attack is an adversary’s attempt to steal information
by inserting themselves between victims and their legitimate, expected
destination. Threat actors combining credential phishing with man-in-the-middle
attacks have been another evolution in the threat landscape. In this context,
rather than setting up one fake login page, the attacker lures victims to their
web server which will broker the entire authentication process between the user
and the actual destination. If successful, threat actors can use the harvested
usernames, passwords, and session cookies to gain access to a victim’s account
and even bypass multi-factor authentication. 

Man-in-the-middle attacks are meant to be transparent to the victim, but this
does not mean they are undetectable. Credential phishing man-in-the-middle
attacks are no different. Based on a few tell-tale signs, Cofense Intelligence
has identified notable trends, including: 

 * a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023 
 * 94% of MitM credential phishing attacks reaching inboxes targeted O365
   authentication 
 * 89% of campaigns used at least one URL redirect, and 55% used two or more 

The signs we used to track MitM phishing attacks not only allow us to perform
statistical analysis, but are also useful for detection and defense. Network
defenders will need to be aware of these markers to better protect their
organizations. 


MITM PHISHING BY THE NUMBERS 

Taking the characteristics of credential phishing MiTM URLs (outlined later in
this report) and matching them against phishing campaigns found in customer
mailboxes, Cofense Intelligence has observed a gradual but persistent increase
in the volume of credential harvesting man-in-the-middle attacks since early
2021. Figure 6 shows major spikes in January and September of 2022, followed by
significant corrections that still retain an upward long-term trajectory. The
spikes and corrections may be due to cycles in which threat actors develop,
test, and refine the capabilities of their MiTM phishing kits. There are also
numerous open-source tools (such as evilginx2, CipherGinx, and Muraena) that
could provide threat actors with MiTM capabilities. 



Figure 1: Count of man-in-the-middle phishing campaigns per month over the past
two years. 

The significant majority of man-in-the-middle landing pages we have identified
attempt to intercept Office 365 credentials (Figure 2), with Outlook and Amazon
following as a distant second and third. 



Figure 2: Type of login pages being intercepted by man-in-the-middle servers. 

The majority of campaigns observed have a malicious URL embedded in the body of
the email rather than in an attachment. Very few of the embedded URLs address
themselves to the man-in-the-middle server itself. Instead, most pass through
one or more URL redirects before reaching the final URL that actually conducts
the man-in-the-middle attack. 



Figure 3: Most man-in-the-middle phishing campaigns use multiple redirects
before the final MiTM URL. 


HOW IT WORKS 

Man-in-the-middle attacks have been used for a long time, in different contexts.
For example, to eavesdrop on network traffic, an attacker could send an update
to the other devices saying their machine is the new default gateway and all
network traffic should be routed through their computer. An attacker could
impersonate a trusted device by setting up their own Wi-Fi hotspot near other
available wireless networks allowing them to intercept the traffic from any
device which connects to it. 

In credential phishing, a man-in-the-middle server will act as a proxy between
the user and the actual destination (Figure 4). It will present to the user the
destination’s login page and will pass on any received username and password to
the destination website. If multi-factor authentication (MFA) is enabled for
that account, it will present the MFA request to the user for further input, and
forward any responses to the destination. 



Figure 4: The man-in-the-middle server intercepts all steps of authentication.

 Most websites today use web certificates to verify that the site can be trusted
and to create a secure connection between themselves and the user. The
verification process helps to ensure that the destination is who it claims to
be. This secure connection encrypts the back-and-forth traffic with the purpose
of making it difficult for attackers to decrypt any traffic they happen to
intercept. 

The credential harvesting man-in-the-middle server gets around this by setting
up two secure connections. One between itself and the destination and the other
between itself and the user. To help disguise itself within the authentication
process, the man-in-the-middle server will use a valid certificate to
authenticate its own identity and allow encrypted traffic between itself and the
user. 

Since the man-in-the-middle server is between these secure connections, it can
decrypt the data from the user and extract the username and password (Figure 5).
It then re-encrypts the traffic and sends it on to the destination website. If
the authentication is successful, it will continue to broker the connection
between the user and the destination, often even passing along MFA requests. 



Figure 5: Extracted credentials from a secure connection. 

Once all the authentication processes are successful, the final step is for the
destination website to craft a session cookie to send back to the user. Session
cookies are very valuable. They are used to manage logins, shopping carts, user
preferences, and any other information that needs to be saved throughout
someone’s interaction with a website. Just like the username and password, the
attacker can decrypt and extract the session cookie before sending it along to
the user (Figure 6).  



Figure 6: Captured session cookie received from the destination website. 

Once the attacker has the session cookie, they can use it to interact with the
website as if they were the user. This session cookie allows them to bypass
usernames, passwords, and even the multi-factor authentication steps. Using that
session cookie, they will be granted all the access and permissions associated
with that account. 


DETECTING MAN-IN-THE-MIDDLE PAGES 

Figure 4 shows the actual landing page for login.microsoftonline.com and one
that is passing through a man-in-the-middle server. At first glance, these two
pages look identical. This makes sense, as the man-in-the-middle server has just
made a real-time request in order to clone the actual login.microsoftonline.com.
However, there are two significant differences. 



Figure 7: Authentication prompts for legitimate (back) and man-in-the-middle
server (front).


URL INSPECTION 

One way to determine if the landing page is legitimate is to inspect the URL.
Table 1 shows a few well-known login URLs and samples of malicious ones found in
recent campaigns. Notice how similar the URLs are to each other except for the
domains. Attackers will still use the tried-and-true method of creating domain
names which are similar to the destination they are trying to impersonate (e.g.,
Microsoft). They may also create a domain which impersonates a customer’s
business or include subdomains such as secure or login to help look more
legitimate.  

 

Service/Destination URL Legitimate O365
https://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id= . .
. O365 MitM
https://lmo.merlinindvstries[.]com/common/oauth2/v2.0/authorize?client_id= . . .
O365 MitM
https://mcmicroteam.infobd71[.]com/common/oauth2/v2.0/authorize?client_id= . . .
O365 MitM
https://login.microsoftonline.atn0[.]live/common/oauth2/v2.0/authorize?client_id=
. . . O365 MitM
https://login.0-396[.]com/common/oauth2/v2.0/authorize?client_id= . . . O365
MitM https://secure.origirnal[.]com/common/oauth2/v2.0/authorize?client_id= . .
. O365 MitM
https://login.micsoftsonline[.]com/common/oauth2/v2.0/authorize?client_id= . . .
Legitimate Outlook https://login.live[.]com/login.srf?wa=signin . . . Outlook
MitM https://microsoftonline.fovere[.]co/login.srf?wa=signin . . . Outlook MitM
https://microsoftonline.eonashnville[.]com/login.srf?wa=signin . . . Outlook
MitM https://microsoftonline.italiandesignbrand[.]com/login.srf?wa=signin . . .
Legitimate Amazon https://amazon[.]com/ap/signin? . . . Amazon MitM
https://aws3dshiharai-amazon.misecure[.]com/ap/signin? . . .

Table 1: Legitimate and malicious URLs found as a part of campaigns which made
it to customer inboxes. 


WEBSITE CERTIFICATES 

The other way to determine if a website is legitimate would be to inspect its
website certificate. Legitimate certificates are authorized by a certificate
authority. These certificates are used to verify that a website is who it says
it is. A padlock icon will appear in your web browser to indicate that the
certificate is valid and the connection between you and the destination is
secure. If there are any issues with the certificate, modern web browsers will
warn you to not proceed any further. 

The certificates below (Figure 8) are from the two websites in Figure 7. Both
browsers showed the padlock icon which indicates the certificates are trusted.
However, looking at the certificates more closely shows the important
difference. The common name in the certificate of the legitimate website is
microsoftonline.com. The common name in the certificate from the
man-in-the-middle server has nothing to do with Microsoft at all. 



Figure 8: Certificates from the legitimate (left) and man-in-the-middle server
(right). 

Just like the URLs above, these names in the certificates should be carefully
inspected as attackers are likely to create domain names which are similar to
microsoftonline.com. Domains such as m1crosoft0nline.com and micsoftonline.com
may fool the casual viewer. 


DEFENDING AND DETECTING 

Throughout the day, there can be a number of online locations where users may be
asked to input their business credentials. These could be locations within their
own company, multiple online cloud portals, and even shared locations from other
businesses. The credential phishing man-in-the-middle campaigns are unique in
that the authentication process looks and feels very legitimate, so much that
users may not even take a second glance at the URL to question its legitimacy. 

With that in mind, here are a few tips for defending against such attacks. 

 * Users should be reminded of which online portals are approved for company
   use.
 * Emails containing URLs or attachments that bring users to a website which
   looks legitimate but does not match the company-approved ones should be
   considered suspicious and reported for further analysis. 

Detecting these campaigns at the inbox level will be difficult as most of the
attacks make use of multiple redirects before landing the victim on the final
man-in-the-middle URL. Despite the redirects, patterns in the final malicious
URL will be very similar to legitimate ones. Alerts on outbound network traffic
which match known URL patterns but do not match the legitimate domains could be
beneficial. The basic logic of an alert might look something like this: 

 * O365
   * URL contains “.com/common/oauth2/v2.0/authorize?client_id=” AND  
   * URL NOT contains
     “login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=”
 * Outlook
   * URL contains “login.srf?wa=signin” AND 
   * URL NOT contains “login.live.com/login.srf?wa=signin” 

Finally, threat actors may leave tracks once they start interacting with a
compromised account. Alerts like the following may help to detect a compromised
account. 

 * Stolen session cookies 
 * Impossible travel 
 * Mailbox rule manipulation 


READ MORE RELATED PHISHING BLOG POSTS


COFENSE NAMED AMONG TOP EMAIL SECURITY VENDORS IN FORRESTER LANDSCAPE REPORT

Read More »
February 13, 2023


SCAMMERS LEVERAGE EARTHQUAKE IN TURKEY & SYRIA IN NEW DONATION SCAM 

Read More »
February 13, 2023


WHAT TO DO IF YOU’RE IN A ROMANCE SCAM

Read More »
February 15, 2023

1602 Village Market Blvd, SE #400
Leesburg, VA 20175

(888) 304-9422

Facebook-f Twitter Linkedin Youtube


COMPANY

 * What We Do
 * How We Do It
 * About
 * Contact Us
 * Legal
 * Privacy Policy


RESOURCES

 * Knowledge Center Hub
 * Events & Webinars
 * Blog
 * Check Your SEG
 *  
 *  

Get a Demo
©2023 Cofense. All rights reserved.

This site is registered on wpml.org as a development site.


We use our own and third-party cookies to enhance your experience by showing you
relevant content, personalizing our communications with you, and remembering
your preferences when you visit our website. We also use them to improve the
overall performance of our site. You can learn more about the cookies and
similar technology we use by viewing our privacy policy. By clicking ‘Accept,’
you acknowledge and consent to our use of all cookies on our website.

Accept