Protecting Against AiTM and BEC Attacks

The Rise of AiTM Phishing and BEC Attacks

Recently, Microsoft Defender Experts found a series of complex AiTM and BEC attacks. These AiTM and BEC attacks started from a compromised trusted vendor. This shows how cyber threats are advancing and why strong defenses are needed. In this blog, we will help you get a better understanding of protecting against AiTM and BEC attacks

Understanding the AttackAiTM and BEC attacks spanning multiple suppliers and partner organizations

First, the attack began with a trusted vendor getting compromised. This led to AiTM attacks and BEC activities across many organizations. Unlike traditional AiTM attacks, this one used an indirect proxy method. This method let attackers create phishing pages aimed at stealing session cookies, which gave them control and flexibility.

Once attackers got the session cookies, they bypassed multifactor authentication (MFA) policies that lacked best security practices. They updated MFA methods without triggering an MFA challenge. Thus, this allowed them to send over 16,000 phishing emails to the target’s contacts, continuing their malicious campaign.

Key Features of the Attack

  1.  Indirect Proxy AiTM Technique: Attackers used an indirect proxy method. They showed targets a phishing website that looked like a legitimate sign-in page. Therefore, this gave them more control over the phishing pages and helped them avoid detection.
  2. Session Cookie Theft: By stealing session cookies, attackers could pretend to be the user. This way, they did not need extra MFA challenges and could access the user’s resources and applications.
  3.  Phishing Campaigns and BEC: Attackers launched large-scale phishing campaigns from compromised accounts. Consequently, this led to more AiTM attacks and BEC activities across multiple organizations.
  4. MFA Method Modification: Attackers added new MFA methods to compromised accounts. Hence, this ensured they kept access and made it harder to fix the issue.

What is an Adversary-in-the-Middle (AiTM) Attack?

An AiTM attack is a type of Man-in-the-Middle (MitM) attack. In these attacks, malicious actors position themselves between communication channels to listen, intercept, or manipulate data traffic. AiTM attacks go beyond just interception; they exploit this position to carry out harmful activities.

These attacks pose a high risk to data confidentiality, integrity, and privacy across many industries, like finance, healthcare, and government. Understanding AiTM attacks and strong defenses are crucial for protecting digital assets as cyber threats evolve.

How AiTM Attacks Work

In an AiTM attack, the attacker positions themselves between the sender and receiver of data or communication. This lets them intercept, manipulate, or redirect traffic between the two parties. They can do this by compromising network devices, exploiting vulnerabilities, or infiltrating a network through other methods.

Key Tactics Used in AiTM Attacks

  • Credential Harvesting: Intercepting login credentials to gain unauthorized access.
  • Data Manipulation: Altering data packets to inject malicious code.
  • Session Hijacking: Taking control of session tokens or cookies to impersonate the victim.
  • Phishing and Spoofing: Impersonating trusted entities to deceive victims.
  • Encryption Bypass: Substituting legitimate security certificates to intercept encrypted communications.

Real-World Implications

AiTM attacks have significant real-world effects across many sectors:

  • Financial Fraud: Intercepting and manipulating online banking transactions.
  • E-commerce Manipulation: Altering payment information in online transactions.
  • Data Theft & Espionage: Stealing sensitive information for competitive advantage.
  • Privacy Invasion: Monitoring and intercepting personal communications.

Defending Against AiTM Attacks

Given the complexity of AiTM attacks, organizations must adopt comprehensive defense strategies. Here are key steps to protect your organization:

  1. Revoke Session Cookies: Besides resetting passwords, revoke session cookies to cut off the attacker’s access.
  2. Strengthen MFA Policies: Ensure MFA policies are configured using security best practices. Re-authentication is required for any MFA updates. More secure MFA methods, like hardware tokens or app-based authentication, should be considered.
  3. Implement Conditional Access Policies: Use conditional access policies that evaluate sign-in requests based on additional identity-driven signals like IP location, device status, and user behavior.
  4. Continuous Monitoring and Threat Hunting: Proactively hunt for new tactics, techniques, and procedures (TTPs) used in AiTM and BEC attacks. Regularly monitor for suspicious activities and sign-in attempts with unusual characteristics.
  5. Invest in Advanced Anti-Phishing Solutions: Utilize solutions that detect and block malicious emails, links, and files. Ensure your web browsers and email clients can identify and block phishing sites and campaigns.
  6. Network Segmentation: Separate network segments to limit an attacker’s lateral movement.
  7. Security Awareness Training: Regularly train employees to recognize phishing attempts, malicious websites, and suspicious communications.
  8. Intrusion Detection Systems (IDS): Use IDS and Intrusion Prevention Systems (IPS) to monitor network traffic and detect potential AiTM attacks.
  9. Regular Software Updates: Keep systems and software up to date with the latest security patches.
  10. Security Monitoring: Implement continuous security monitoring to detect and respond to unusual network activity or suspicious behavior.


The recent AiTM and BEC attack uncovered by Microsoft shows the need for vigilance and proactive defense measures. By understanding the tactics used by attackers and implementing strong security practices, organizations can better protect themselves from these evolving threats. At Rouse Consulting Group, we are committed to helping our clients stay secure against sophisticated cyber attacks. If you need help improving your cybersecurity, reach out to our team of experts. You can read the original Microsoft blog here for more details about this attack and its mitigation.

Contact RCG today to learn more about how we can help safeguard your email communications and ensure a proactive approach to cybersecurity.