On July 12, 2022, Microsoft warned of large-scale adversary-in-the-middle (AiTM) phishing attacks. These attacks have been ongoing since September 2021 and have targeted over 10,000 organisations worldwide with no end in sight. The ultimate goal is to commit financial fraud.
The attackers steal Office 365 user login credentials by intercepting Office 365 sign-in sessions (also known as session-hijacking) and circumventing Multi-Factor Authentication (MFA) to steal login information and session cookies.
Once they have access to the victim’s mailbox via the AiTM site, they can carry out business email compromise (BEC) attacks, which may involve the impersonation of high-level company staff to trick employees into carrying out actions that can cause harm to the organisation.
The sophistication of those attacks shows that attackers find ways around even the most effective controls, such as MFA. While MFA remains a critical step to protecting organisations’ information, providing phishing training to staff at all levels, including senior leadership and C-levels, is just as important.
The better we can train people to spot malicious activity, the more likely they will defend organisations against cyber-attacks.
The phishing training should increase phishing awareness and help employees identify and report phishing emails.
Regularly testing employees with simulated phishing attacks allows them to practice, learn, and continuously build their skills to detect phishing emails. In addition, educating users on how to identify fake login pages reduces the risk of them giving up their user names and passwords or session cookies.