Adrian Johnson
TLDR:
- Attackers are using AitM phishing attacks to bypass traditional security controls like MFA and EDR.
- AitM phishing involves using toolkits to act as a proxy between a user and a legitimate login portal to steal sessions and credentials.
Article Summary:
Attackers are increasingly using AitM phishing attacks to bypass traditional security controls like Multi-Factor Authentication (MFA) and Endpoint Detection and Response (EDR). AitM phishing involves using specialized toolkits to act as a proxy between a user and a legitimate login portal, allowing attackers to steal live sessions and credentials. This technique makes it harder for users to detect the compromise, as the page appears legitimate. There are two main methods used to implement AitM phishing: reverse web proxies and Browser-in-the-Middle (BitM) techniques. These toolkits enable attackers to observe interactions, control authenticated sessions, and gain access to user accounts. Phishing has been a top attack vector for years, but the evolution of phishing toolkits has made it more challenging to detect and prevent these attacks.
AitM phishing sites constantly change to evade detection, making it difficult for defenders to rely on blocking known-bad URLs or IP addresses. With attackers investing in advanced phishing toolkits, organizations need to adopt new approaches to detect and block these attacks effectively. Building detections based on user behavior when entering credentials can be more effective. Leveraging browser-based security controls can help intercept users at the point of impact and stop identity attacks before they happen. By focusing on dynamic analysis and response within the browser, security teams can enhance their defenses against AitM phishing attacks.
