A phishing campaign that has been active since September 2021 has so far attempted to target more than 10,000 organisations, Microsoft security researchers said.
The campaign uses what Microsoft calls Adversary in the Middle (AitM) attacks which involves setting up a proxy server that sits between victims and the websites they wish to visit.
With a proxy server that intercepts hyper text transfer protocol (HTTP) packets from users, attackers don't need create sites that impersonate legitimate ones, as per traditional phishing campaigns.
Capturing HTTP packets enables attackers to steal targets' passwords and the session cookie generated as users authenticate on websites, the researchers said.
With the session cookie in hand, attackers can inject into their browser and skip the authentication process.
This attack works even if multi-factor authentication is enabled.
The email-borne phishing campaign looks very genuine to targets, who received messages informing them that they had a voicemail waiting, containing a HTML attachment masquerading as an MP3 audio file.
Microsoft said the phishing landing page automatically filled in the victim's email address to enhance the social engineering lure.
The technique was also an attempt by attackers to stop conventional anti-phishing tools from directly accessing the malicious URLs.
Once the attackers had captured passwords and session cookies, they would engage in payment fraud in which they would trick victims into transferring funds to accounts controlled by the threat actors.
To protect against AiTM attacks, Microsoft said that even though they attempt to bypass MFA, organisations should implement the security measure as it is very effective stopping a wide variety of threats.
"Its effectiveness is why AiTM phishing emerged in the first place," Microsoft's security researchers said.
