Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users

News

The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services have also set their sights on Google Workspace users.

“This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace],” Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

CyberSecurity

The AitM phishing attacks are said to have commenced in mid-July 2022, following a similar modus operandi as that of a social engineering campaign designed to siphon users’ Microsoft credentials and even bypass multi-factor authentication.

The low-volume Gmail AiTM phishing campaign also entails using the compromised emails of chief executives to conduct further phishing attacks by the threat actor, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take the victims to the landing page.

Google G-Suite Enterprise Users

Attack chains involve sending password expiry emails to potential targets that contain an embedded malicious link to supposedly “extend your access,” tapping which takes the recipient to open redirect pages of Google Ads and Snapchat to load the phishing page URL.

Beside open redirect abuse, a second variant of the attacks relies on infected sites which host a Base64-encoded version of the next-stage redirector and the victim’s email address in the URL. This intermediate redirector is a JavaScript code that points to a Gmail phishing page.

CyberSecurity

In one instance highlighted by Zscaler, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was updated to take the user to a Gmail AiTM phishing page, connecting the two campaigns to the same threat actor.

“There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure,” the researchers said.

The findings are an indication that multi-factor authentication safeguards alone cannot offer protections against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and refrain from opening attachments or clicking on links in emails sent from untrusted or unknown sources.

Products You May Like

Articles You May Like

ESET APT Activity Report Q2 2024–Q3 2024
THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 – Nov 10)
Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims
IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools
CISOs Turn to Indemnity Insurance as Breach Pressure Mounts

Leave a Reply

Your email address will not be published. Required fields are marked *