What is an adversary–in-the-middle (AiTM) attack? How can you reduce the chances of an AiTM phishing attack?

Many different types of security threats use phishing to lure in victims – and AiTM is one of them. AiTM stands for adversary-in-the-middle. Similar to man-in-the-middle (MiTM) attacks, AiTM attacks involve a third party that inserts itself between two parties that are communicating with each other in order to steal information. In an AiTM attack, the hacker deploys a proxy server between a user and a website in order to mirror the user’s actions and steal credentials and any session cookies created during the authentication process.

MFA users: Beware

Some advanced forms of AiTM attack can bypass multi factor authentication (MFA), one of the key authentication methods used by Zero Trust security solutions. These types of AiTM attacks present a real risk to many organizations, even those that use sophisticated security techniques to keep credentials secure. One example is the 2021 large-scale phishing campaign disclosed by Microsoft , which hijacked sign-in sessions and used stolen credentials to send business phishing emails to gain information that could be used to perform financial fraud.

It’s crucial to understand how AiTM works and what mitigations need to be put in place to make sure hackers can’t gain access to your network in this way.

AiTM phishing

Usually, AiTM begins with phishing. According to Gartner, an estimated 40% of phishing attempts originate from email. As a typical example, known as spoofing, an email might be sent to an employee from a legitimate-seeming sender at what appears to be a genuine organization. However, the email contains a link that connects to a fraudulent website. When the user clicks on the link, they are taken to a phishing website which looks identical to a real website. Only carefully checking the URL – which often also closely resembles the legit URL – enables a user to differentiate them.

How AiTM works

Here’s an example of a typical AiTM attack, step-by-step:

1. The user clicks on an email link and the fraudulent, spoofed website opens to a login page. In the background, the attacker has a proxy server deployed between the user and the website. This proxy server misuses common networking protocol features to collect the data being sent between the user and the website.
2. The user will be asked to authenticate. Unaware that the site is fraudulent, they will enter their username and password.
3. The phishing site will then proxy the request to the real website, which returns an MFA screen.
4. The MFA screen will then be displayed on the phishing site, during which the user will enter even further information to complete the MFA request.
5. The MFA information is then proxied by the phishing site to the real site, and the real website returns a session cookie. The hackers now have access to the user’s credentials and the session cookie.

At the end of the attack, the user may be redirected to a genuine page, completely unaware that they have been the victim of a cyberattack. The hacker can now log in to the real site with the user’s credentials.

AiTM techniques

There are many techniques that may be used from the initial phishing stages of AiTM attacks all the way through to the follow up after the attack has occurred. These may include:

• Downgrade attacks – this is a technique through which attackers downgrade a system or purposely use an older version so that they can exploit vulnerabilities that do not exist in newer versions. In AiTM phishing attacks, this may involve using an older network protocol.
• Network sniffing – this is when an adversary sniffs a network to try and get information about credentials passed over the network. It uses a network interface to capture the information.
• Transmitted data manipulation – this is when an adversary alters information while it is on route in order to either change the results of an action or hide their own malicious activity. Manipulating data can also be used to influence important personnel in an organization, or even change a recipient bitcoin address so that the attacker receives the payment.

Automated AiTM attacks

Bad actors can use tools to automate AiTM attacks. These tools, some of which are available as open source, provide phishing as a service, allowing cybercriminals of all kinds to perform credentials phishing without having advanced technological knowledge.

The impact of an AiTM attack

Once one user has fallen victim to an AiTM attack, the hacker has credentials which can then be used to perform further cyberattacks and compromise an organization’s network. For example, if the hackers gained access to email accounts, they can then send more phishing emails. With access to accounts, there’s also the possibility to damage systems and delete data, install malware or ransomware, or steal financial data to make fraudulent payments.

AiTM attack prevention

AiTM attacks can be prevented in a number of ways. Combining as many mitigations as possible is the best way to reduce the chances that an AiTM attack will succeed.

• Use phishing-resistant MFA tools – As mentioned above, MFA alone is no match for an AiTM phishing attack, especially since many are specifically designed to steal MFA tokens. Of course, it’s far better than not using any MFA at all, but other precautions must be taken. Some types of MFA claim to be more resistant against phishing attempts, and these should be considered above others.
• Disable unnecessary features and programs that use legacy network protocols – If your organization doesn’t need a legacy feature or program, disable it. This reduces the number of network protocols available through which an AiTM attack can be launched.
• Filter network traffic – Use security software and network appliances that can filter based on protocols on the host side and can block any network traffic that isn’t from within the environment.
• Use network segmentation – If you break up your network into segments, you can isolate resources inside the network. You can then restrict network access to users and resources that don’t require it, reducing the possible scope of an AiTM attack.
• Use RBI to prevent credential theft – A solution that uses remote browser isolation (RBI), such as the ZTEdge Secure Web Gateway (SWG), can render unrecognized websites in a remote cloud container in read-only mode, so that if users open links to credential stealing sites from a phishing email, they will not be able to enter their credentials, thus foiling AiTM attacks that depend on fraudulent websites.
• Train users – Although hackers are becoming more sophisticated in their techniques, there are usually ways to detect phishing attempts and fraudulent websites – whether it’s a certificate error due to mismatched certificates between an application and the one expected, or simple typos in the text content. It’s important to mention that training alone is definitely not enough to rely on, as it only takes one wrong click for a phishing attempt to be successful.
• Encrypt information – When it comes to handling valuable data, encryption is essential. If wireless traffic containing credentials is encrypted and protected with SSL/TLS, and authentication protocols use best practices, the chances of an AiTM being successful are greatly reduced.
• Provide granular access to network resources – Network resources should only be accessible only to the devices and users that require them, otherwise they may be left vulnerable to hackers who can then use them to launch an AiTM attack.