Full Report
While phishing has evolved, email security hasn't kept up. Attackers now bypass MFA & detection tools with advanced phishing kits, making credential theft harder to prevent. Learn how Push Security's browser-based security stops attacks as they happen. [...]
Analysis Summary
# Tool/Technique: Adversary-in-the-Middle (AitM) Phishing Kits
## Overview
AitM phishing kits are specialized tooling used by threat actors to facilitate phishing attacks that bypass traditional security controls, most notably Multi-Factor Authentication (MFA). These kits operate as a proxy between the target user and a legitimate application login portal, allowing the attacker to intercept credentials, MFA codes, and session tokens.
## Technical Details
- Type: Tool/Technique (Phishing Kit)
- Platform: Web-based applications accessed via browsers (e.g., M365)
- Capabilities: Intercepts credentials and MFA tokens in real-time; presents a legitimate-appearing login page; circumvents blocklists.
- First Seen: The text implies heavy use in 2024, referencing recent examples.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less direct, but the delivery vector)
- T1566.002 - Spearphishing Link (Primary vector utilized by the resulting URL)
- TA0006 - Credential Access
- T1213 - Account Discovery (Indirectly aids in identifying targets)
- T1555 - Credentials from Password Stores (Interception of session tokens)
## Functionality
### Core Capabilities
- **Proxy Functionality:** Acts as a reverse proxy between the victim and the legitimate target application (e.g., M365 login).
- **Credential Theft:** Captures user-provided credentials as they are entered into the fabricated login page.
- **MFA Bypass:** Observes and captures session tokens or MFA verification codes sent to the legitimate service, completing the authentication chain for the attacker.
### Advanced Features
- **URL Rotation:** Attackers constantly refresh the set of URLs the phishing page resolves to, evading known-bad blocklists.
- **HTTP Referer Masking:** Hides suspicious redirect chains by masking the HTTP Referer header.
- **Benign Redirection:** Redirects automated scanners or unintended visitors to legitimate domains to hide the malicious intent.
- **Leveraging Legitimate Services:** Campaigns are sometimes built using trusted infrastructure, such as leveraging legitimate SaaS services (like HubSpot) for hosting campaign components.
## Indicators of Compromise
- File Hashes: Not explicitly listed in the context.
- File Names: Not explicitly listed in the context.
- Registry Keys: Not applicable (Web-based tooling).
- Network Indicators: Unique URLs that rotate frequently; IP addresses associated with cloud-hosted proxy servers that are constantly replaced.
- *Defanged Example:* `phishing.com` (placeholder for rotated domains).
- Behavioral Indicators: Traffic traversing an unexpected proxy server before reaching a legitimate service URL; monitoring for successful authentication events mirrored in attacker logs.
## Associated Threat Actors
The article mentions several specific AitM phishing kits that are actively used:
- Tycoon
- Nakedpages
- Evilginx (Specifically cited in an example taking over an M365 account)
Other actors leveraging identity-based attack vectors (phishing/stolen credentials) accounted for 80% of initial access observed in 2024, indicating broad adoption of these techniques.
## Detection Methods
Detection relies on moving away from easily changed indicators (like static IPs/domains) towards harder-to-evade indicators (Pyramid of Pain principles):
- **Signature-based detection:** Ineffective against rapidly changing URLs.
- **Behavioral detection:** Focus on the *act* of proxying authentication flows and observing session token acquisition by unauthorized intermediaries.
- **YARA rules:** Not mentioned in the context.
- **Control Evasion Focus:** Detecting the failure of standard defenses like known-bad blocklists.
## Mitigation Strategies
The context emphasizes shifting detection "left" and making detection harder for attackers to bypass:
- **Move beyond Blocklists:** Avoid reliance on static threat intelligence feeds for URLs/IPs, as these are trivially changed.
- **Implement AitM-Resistant Controls:** Utilize security solutions capable of inspecting the authentication proxy process itself, rather than just static page content or URLs.
- **Identity Threat Detection and Response (ITDR):** Focus on monitoring identity behaviors that signal account takeover attempts facilitated by stolen tokens/credentials.
- **Reduce reliance on MFA as the sole defense:** Since MFA codes/tokens are being intercepted, supplementary controls are necessary.
## Related Tools/Techniques
- Credential Stuffing
- Password Spraying
- Session Hijacking (via stolen session tokens)