AitM Phishing Attacks Targeting Microsoft 365 and Google to Steal Login Credentials

Organizations worldwide are facing an unprecedented surge in sophisticated phishing attacks that specifically target Microsoft 365 and Google accounts through an advanced technique known as Adversary-in-the-Middle (AitM).

These attacks represent a significant evolution in cybercriminal tactics, leveraging sophisticated reverse proxy servers to intercept authentication sessions and bypass multi-factor authentication protections that organizations have come to rely upon for security.

The AitM technique fundamentally differs from traditional phishing by positioning malicious servers between victims and legitimate authentication services.

When users attempt to log into their accounts through what appears to be a legitimate Microsoft or Google login page, the AitM server relays their credentials to the actual authentication API while simultaneously harvesting session cookies.

This intercepted session data allows attackers to gain complete access to victim accounts without triggering additional authentication challenges, effectively rendering multi-factor authentication useless against these sophisticated attacks.

Sekoia analysts identified that the threat landscape has experienced dramatic changes since 2023, with cybercriminals rapidly adopting new attack vectors and distribution methods.

The research team’s comprehensive monitoring revealed that threat actors have evolved from primarily using QR codes embedded in documents to increasingly sophisticated HTML attachments and malicious SVG files for distributing phishing links.

This tactical evolution demonstrates the adaptability of cybercriminal operations and their ability to stay ahead of traditional security measures. The financial impact of these attacks extends far beyond initial account compromise.

Once attackers gain access to cloud accounts, they typically conduct extensive reconnaissance before launching Business Email Compromise operations, including internal spearphishing campaigns, data exfiltration, and various forms of financial fraud such as modifying banking details or issuing fraudulent invoices.

The comprehensive nature of these follow-up attacks often results in significant financial losses for targeted organizations, with some attacks leading to advanced persistent threat scenarios or even ransomware deployments.

The proliferation of Phishing-as-a-Service platforms has dramatically lowered the barrier to entry for conducting AitM attacks.

These subscription-based services, ranging from $100 to $1,000 monthly, provide cybercriminals with turnkey phishing capabilities including email templates, anti-bot protections, administration panels, and automated data forwarding to messaging platforms like Telegram.

This democratization of advanced phishing tools has enabled even technically inexperienced criminals to conduct sophisticated attacks against enterprise targets.

Advanced Infection Mechanisms and Evasion Techniques

The technical sophistication of modern AitM attacks lies in their multi-layered approach to victim targeting and security evasion.

Contemporary campaigns typically begin with carefully crafted social engineering lures that exploit corporate scenarios such as financial notifications, human resources communications, or IT security updates.

These initial communications often contain malicious SVG attachments that incorporate JavaScript or xlink:href attributes to redirect victims through multiple intermediate steps before reaching the final phishing page.

The most advanced AitM kits employ sophisticated traffic distribution systems and anti-bot capabilities to ensure their malicious content only reaches intended targets.

These systems verify that incoming traffic originates from residential internet service providers rather than corporate security scanners, check for appropriate operating systems and browsers consistent with corporate environments, and implement CAPTCHA challenges using legitimate services like Cloudflare Turnstile or reCAPTCHA.

The Tycoon 2FA platform integrates BlackTDS service specifically to prevent security analysis environments from accessing phishing pages, while Mamba 2FA utilizes Adspect TDS for similar protective purposes.

Based on Sekoia’s monitoring methodology, the most prevalent AitM phishing kits currently active include Tycoon 2FA, Storm-1167, NakedPages, Sneaky 2FA, and EvilProxy, with Tycoon 2FA achieving the highest threat score due to its extensive infrastructure and frequent updates to evade detection systems.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access