Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
eSentire has observed an increase in Adversary-in-the-Middle (AitM) phishing attacks, starting in mid-September 2023. AitM phishing attacks involve socially-engineering end-users into opening malicious links contained in emails. Data is then proxied or relayed through attacker-controlled infrastructure, leading to the theft of user credentials, including Multi-Factor Authentication (MFA) codes and session cookies that would grant access to various accounts. eSentire has observed this access being used to conduct Business Email Compromise (BEC) attacks.
By detecting anomalous sign-ins and tracking threat actor infrastructure, eSentire identified this threat at its earliest stage, limiting follow-on activities that would have resulted in Business Email Compromise. eSentire is continuously improving detection for anonymous logins and BEC attacks. See below for additional details and security recommendations.
What we’re doing about it
Impacted organizations have been directly notified by eSentire’s Security Operations Center (SOC)
eSentire MDR for Log detects the described activity, as well as Business Email Compromise (BEC) follow-on activity
eSentire security teams continue to track this activity for additional details and detection opportunities
What you should do about it
Organizations, with eSentire MDR for Log, are strongly recommended to ensure logging is enabled for Azure AD and Office365
Ensure user training includes information on recent adversary tactics, such as AitM and QR code abuse
Implement conditional access policies, such as:
Limiting access to managed or compliant devices
Block known malicious indicators via Conditional Access policies by limiting access to trusted IP addresses and locations (see table 1)
Reduce the lifetime of user sessions
If impacted by AitM Phishing:
Reset user credentials
Revoke active logon sessions
Review impacted inboxes for rule changes and data exfiltration
Additional information
During routine threat-hunting exercises via MDR for Log, eSentire’s Tactical Threat Response (TTR) team identified an increase in anomalous sign-in activity within Azure AD from known adversary phishing infrastructure. These AitM attacks are very stealthy and allow threat actors to bypass authentication mechanisms, as they capture and replay stolen session tokens, leaving a limited footprint in the environment. This allows threat actors to avoid detection until they begin to perform hands-on activities against a user's account or mailbox.
In AitM attacks, the initial email generally pressures the user to immediately interact with a link or QR code, with a lure related to monetary funds or account information (see Figure 1). QR codes are employed in attacks to force the user onto their mobile device, which is less likely to be monitored. Phishing pages often include corporate branding and appear identical to the corporate landing page where users may be prompted with a Multi-Factor Authentication request. It’s important to note that the implementation of MFA does not fully prevent this sophisticated attack. Once credentials and the session cookie have been submitted, attackers may replay this information to gain access to the victim’s account. eSentire has observed threat actors perform reconnaissance, via email review and adding mailbox rules to hide, delete, or forward emails. Threat actors have also been identified using established access to add a new device for MFA authentication, allowing them persistent access to the victim account. After access has been established, the threat actors may attempt illicit funds transfer or commit other malicious actions.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
