Microsoft Threat Intelligence has detected the increasing use of an open-source adversary-in-the-middle (AiTM) phishing kit developed by the emerging threat actor DEV-1101, which has been used in high-volume phishing campaigns. Such attacks circumvent multi-factor authentication protections, making them more effective.
DEV-1101 offers several phishing kits for purchase or rent, making it easier for criminals to launch a phishing campaign.
The open-source kit mimics Microsoft Office and Outlook and can be managed from mobile devices, with the latest update allowing server management through a Telegram bot.
A monthly license fee for the kit costs $300, with VIP licenses costing $1,000.
Furthermore, Microsoft has linked DEV-1101 to an activity cluster called DEV-0928, which is one of the threat actor’s prominent patrons.
A phishing campaign by this cluster has comprised over a million emails since September 2022.
The attack begins with document-themed email messages containing a link to a PDF document that leads the recipient to a login page masquerading as Microsoft’s sign-in portal, but not before the victim completes a CAPTCHA step. Microsoft warns that although AiTM attacks bypass MFA, organizations must adopt phishing-resistant authentication methods such as using FIDO2 security keys to block suspicious login attempts.
Phishing kits have become a part of the industrialization of the cybercriminal economy, making it easier for criminals to launch attacks.
The service-based economy of such offerings can also result in double theft, where the stolen credentials are sent to both the phishing-as-a-service provider and their customers. Microsoft recommends that organizations should educate their employees on phishing risks and invest in security awareness training.
Additionally, security teams should deploy automated detection and response tools that can spot and contain such attacks.
As phishing attacks continue to evolve, it is essential for organizations to stay up-to-date with the latest threats and protect their systems with advanced security measures.
The growing prevalence of AiTM attacks emphasizes the need for organizations to use phishing-resistant authentication methods and regularly conduct security assessments to identify and address vulnerabilities.
