Microsoft recently cautioned its users regarding a phishing campaign that has targeted more than 10,000 organizations. This type of cyber threat highlights the importance of robust cyber security awareness and services, especially in high-risk areas such as Chicago. The campaign intends to conduct follow-on business email compromise (BEC) attacks using a phishing technique called adversary-in-the-middle (AiTM).

Cybercriminals utilize a deceitful proxy web server to execute a technique that places itself in the middle of the user and the intended website. As a result, they can easily capture login details and hijack session cookies, rendering multifactor authentication (MFA) ineffective.

This advanced method employed by attackers poses a severe danger to organizations and their users. Taking necessary precautions and remaining attentive is imperative for users to protect themselves and their organizations from such malevolent attacks by seeking reliable cyber security consulting Chicago.

To obtain the session cookie, attackers leverage two distinct TLS sessions—one with the user and the other with the targeted website. This enables them to circumvent the authentication process, even if the targeted organization has enabled multifactor authentication (MFA). The severity of this technique underscores the need for users to be ever-vigilant and take proactive measures to safeguard sensitive information against such malicious attacks.

The webserver employed a deceptive technique, proxying the Azure AD sign-in page of the targeted organization while using the organization’s logo to make it appear genuine.

After the user entered their login credentials and got authenticated, the attacker hijacked the information while directing the user to the authentic page to avoid suspicion. By exploiting the stolen credentials, the attacker engaged in nefarious activities such as payment fraud within the organization.

Usually, fraudulent activities began approximately five minutes after the credentials were stolen, as the attackers used the pilfered session cookie to log in to Outlook online ( This allowed them to launch subsequent attacks from within the organization, causing significant harm.

After the initial breach, the attacker would access emails and file attachments related to finances and search for threads that facilitated Business Email Compromise (BEC) fraud. Moreover, they removed the initial phishing email from the victim’s inbox.

Microsoft notes that these actions imply that the attacker endeavored to manually commit payment fraud. Interestingly, these activities were performed on the cloud, utilizing a Chrome browser and Outlook Web Access (OWA) with the stolen session cookie of the compromised account.

Upon discovering a relevant email thread, the threat actor established a rule that directed messages from the BEC scam target to the archive folder to avoid detection by the mailbox owner.

Next, the attacker responded to an ongoing payment-related thread and periodically checked for replies from the recipient, sometimes communicating for multiple days. In a noteworthy instance, the attacker simultaneously executed numerous fraud attempts from the same compromised mailbox, updating the Inbox rule with the organization domains of new targets as they were identified.

Microsoft provides these details to demonstrate the extensive lengths that the attacker went to in their attempts to commit BEC fraud. Hi’s persistence and resourcefulness in their attempts to commit BEC fraud highlight the critical importance of robust cyber security awareness, such as those provided by reputable cyber security services in Chicago and other major cities.

Who is Behind These Attacks?

According to the tech conglomerate, DEV-1101 is believed to be responsible for numerous phishing kits that can be bought or leased by other criminals, significantly reducing the time and resources needed to execute a phishing attack.

In a technical report, Microsoft highlighted that the accessibility of such phishing kits for purchase contributes to the industrialization of the cybercriminal industry and makes cybercrime more accessible to a broader audience.

Such offerings, fueled by a service-based economy, can lead to double theft, where stolen login credentials are forwarded to both the phishing-as-a-service provider and their clients.

The open source package from DEV-1101 offers various features that enable users to create phishing landing pages that replicate Microsoft Office and Outlook. Additionally, users can run campaigns from their mobile devices and utilize CAPTCHA checks to avoid detection.

Since its launch in May 2022, the service has undergone various improvements, with the most notable being the ability to manage the kit’s servers via a Telegram bot. A monthly licensing fee of $300 is currently charged, while VIP licenses cost $1,000.

Microsoft has identified multiple high-volume phishing campaigns utilizing the tool by various actors, which equate to millions of phishing emails daily. Among these, DEV-0928 is a prominent supporter of DEV-1101, according to Redmond. The group has been linked to a phishing campaign that sent over one million emails since September 2022.


Phishing Sequence of DEV-1101

DEV-0928’s phishing campaign using the DEV-1101 kit targets a diverse group of users, each with their own approach to handling suspicious emails. The email begins with a lure designed to entice the recipient, and clicking the button leads to the next phase of the attack. It’s critical to remain vigilant and cautious when receiving unexpected emails to avoid falling victim to cybercriminals.

When clicking on the link in the phishing message, there are two potential ways the attacker can evade detection. The DEV-1101 kit comes equipped with advanced antibot functionality, which may activate an href redirection to a seemingly harmless page. In one instance, the DEV-0928 domain “o365987656898087[.]xyz” redirects to “”. It’s important to exercise caution and remain vigilant to steer clear of cyber criminals and their deceitful tactics.

Users have the option to choose a different redirection domain, despite the default in the source code being “”.

The kit provides an option for threat actors to utilize CAPTCHA as a means of evading detection. With the inclusion of a CAPTCHA page in the phishing sequence, it becomes arduous for automated systems to access the final phishing page, while remaining effortless for human users to advance to the subsequent page. This method enables more efficient phishing attacks that are less susceptible to being detected by automated security systems.

Initially, DEV-1101 had to provide support to set up CAPTCHA for users in August 2022. Later on, CAPTCHA became a core feature. After the evasion pages, the victim is directed to a phishing landing page through an actor-controlled host using the phishing actor’s reverse proxy setup.

Once the victim lands on the phishing landing page, their entered credentials are captured by the actor’s server. If the user has MFA enabled, the AiTM kit acts as a proxy between the user and their sign-in service, capturing the resulting session cookie as the user completes an MFA sign-in. This allows the attacker to bypass MFA with both the session cookie and the user’s stolen credentials.

The AiTM phishing attack chain is illustrated in the accompanying diagram.


To counter the threat of AiTM attacks, organizations must implement cyber security awareness plans and anti-phishing authentication techniques that can thwart suspicious login attempts. For example, employing FIDO2 security keys is an effective method to prevent such attacks even if multifactor authentication (MFA) is circumvented.

Related Articles