The Growing Threat to Business Emails Adversary-in-the-Middle Cyber Attacks
By Jordan Johnson, Dean Dorton
Business email compromise attacks are on the rise. In 2023, the Internet Crime Complaint Center, reported receiving approximately 21,000 reports of business email compromises from organizations. The organizations reported $2.9 billion in losses from these attacks. Business email compromises are big business for cyber-criminals, often resulting in hefty losses, whether reputational or financial. So, how are cyber-criminals getting to the business emails?
What to Know About AitM Attacks
A newer acronym has entered the chat in the acronym-happy landscape of cybersecurity: Adversary-in-the-middle, or AitM, for short. Adversary-in-the-middle attacks allow a threat actor to trick users into entering their credentials and multi-factor authentication into a site they control and relay that information to the legitimate email provider in real-time.
This allows the threat actor to steal the session token for the user and log in until that token expires (which is 90 days for refresh by default for Microsoft, by the way). From there, the threat actor can log in as the user and take any actions on behalf of the compromised user. The ease of this attack is compounded by the fact that there are publicly available tools on GitHub that allow a threat actor to quickly spin up the tooling to use. All they need at that point is a registered domain for the landing page.
Standard multi-factor authentication (MFA) implementations (SMS, push notification, number challenge, etc.) are also no match for this threat. If the user enters their password and accepts the push, for example, the threat actor will then have access to their account in real time. Microsoft has posted an excellent article regarding this threat, which can be found here.