Defending Against AitM Phishing: A Comprehensive Guide to the Latest Campaign Targeting US Enterprises
Overview
In early 2025, cybersecurity researchers identified a sophisticated phishing campaign specifically aimed at US organizations. The attacks leverage Adversary-in-the-Middle (AitM) techniques to bypass multi-factor authentication (MFA) and steal credentials. Emails disguised as official conduct reports lure recipients to a fake Microsoft login page that captures both passwords and session tokens. This guide provides a detailed breakdown of the attack, step-by-step instructions for security teams to detect and mitigate it, and common pitfalls to avoid.
The campaign is notable for its precision targeting, use of legitimate-looking domains, and real-time credential harvesting—making it a significant threat to enterprise security. Understanding the mechanics is essential for any organization using Microsoft 365 or Azure AD.
Prerequisites
Before diving into the tutorial, ensure you have the following:
- Basic knowledge of phishing attacks and common indicators (e.g., suspicious URLs, grammar errors).
- Access to your organization’s email security logs (e.g., Microsoft 365 Defender, Proofpoint, or Mimecast).
- Understanding of MFA: How TOTP, push notifications, and OAuth tokens work.
- Tools for analysis: Browser developer tools, URL analysis sites (VirusTotal, URLScan.io), and a sandbox for link execution (optional).
- Organizational policies for incident response and user awareness training (recommended).
Step-by-Step Instructions
1. Recognizing the Phishing Email
The initial email appears to come from an internal HR or compliance department. The subject line often includes “Conduct Report” or “Violation Notification.” Key characteristics:
- Spoofed sender address: Example – hr-department@[compromised domain] but with a slight variation (e.g., .co instead of .com).
- Urgent language: “Immediate action required” or “Your account will be suspended.”
- Embedded link: Usually a shortened URL (e.g., bit.ly) or a redirect through a legitimate service like Google Forms or SharePoint.
Action: Train users to hover over links without clicking. Check the full URL in the status bar. Any mismatch with the displayed text is a red flag.
2. Analyzing the Link with AitM Infrastructure
Once a user clicks, they are redirected to a phishing page that mimics the Microsoft online login (e.g., login.microsoftonline.com). But unlike classic phishing, this page uses an AitM proxy. The attacker’s server sits between the victim and Microsoft’s actual login server. Step-by-step breakdown:
- The phishing page forwards the victim’s credentials to the real Microsoft login endpoint.
- When Microsoft sends a MFA challenge (e.g., push to authenticator app, SMS code), the proxy captures both the password and the session token (not just a static password).
- The attacker then uses the session token to access the victim’s account, bypassing MFA completely.
Detection: Use tools like PhishLabs or Cybersecurity & Infrastructure Security Agency (CISA) guidelines. Check the page source for unusual JavaScript that intercepts form data and sends it to a remote server.
3. Identifying the Fake Login Page
The URL of the phishing page is often a homograph attack (e.g., using a Cyrillic character that looks like an ASCII letter) or a subdomain of a legitimate-looking domain (e.g., login.microsoft.com.security-check[.]com). Look for:
- Missing HTTPS or a padlock that is not fully valid (yellow triangle).
- Inconsistent branding: Slight differences in the Microsoft logo or font.
- Unusual fields: Sometimes asks for additional info like “security questions” or “ID number.”
Tool: Use URLScan.io to scan the link and see if it has been reported as malicious.
4. Defensive Measures for Organizations
To protect against AitM phishing, implement a layered approach:
- Email filtering: Set rules to quarantine emails with “conduct report” or “HR violation” in the subject, especially from external senders.
- MFA enhancements: Use number matching in Microsoft Authenticator or FIDO2 security keys – these are resistant to AitM attacks.
- Conditional Access policies: Require compliance checks (e.g., device health, known IP ranges) before granting access, even with valid tokens.
- User training: Run simulated phishing campaigns that include AitM scenarios. Teach users to always verify the URL and never reuse credentials.
5. Incident Response Steps
If a user reports clicking a suspicious link:
- Isolate the user’s session: Force logout from all sessions via Azure AD admin center.
- Reset credentials: Change password and revoke tokens.
- Check for lateral movement: Examine logs for unusual mailbox access, forwarding rules, or access to sensitive documents.
- Report the domain: Submit to Microsoft (via reportphishing) and to CISA.
Common Mistakes
- Assuming MFA is foolproof: AitM specifically targets session tokens, not just passwords. Organizations that rely solely on SMS or app-based approval codes are vulnerable.
- Ignoring homograph URLs: Users may not notice a Cyrillic “е” in place of ASCII “e”. Train them to use browser address bars.
- Delayed reporting: The attacker often uses the stolen session within minutes. Encourage immediate reporting of any suspicious links.
- Overlooking log analysis: Many security teams don’t check for unusual login locations or device fingerprints. Enable Azure AD sign-in logs and set alerts for atypical behavior.
- Failing to update training: Phishing campaigns evolve; annual training is insufficient. Provide quarterly updates with real-world examples.
Summary
This sophisticated phishing campaign using AitM techniques poses a serious threat to US organizations by bypassing MFA through real-time credential harvesting. To defend, organizations must combine technical controls (enhanced MFA, conditional access, email filtering) with ongoing user education. Immediate incident response steps include session revocation and credential reset. By understanding the attack flow and common mistakes, security teams can significantly reduce risk.