AiTM Attack

The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services have also set their sights on Google Workspace users.

"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.


The AiTM phishing attacks are said to have commenced in mid-July 2022, following a similar modus operandi as that of a social engineering campaign designed to siphon users' Microsoft credentials and even bypass multi-factor authentication.

The low-volume Gmail AiTM phishing campaign also entails using the compromised emails of chief executives to conduct further social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take the victims to the final landing page.

Google G-Suite Enterprise Users

Attack chains involve sending password expiry emails to potential targets that contain an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to open redirect pages of Google Ads and Snapchat to load the phishing page URL.

Beside open redirect abuse, a second variant of the attacks relies on infected sites which host a Base64-encoded version of the next-stage redirector and the victim's email address in the URL. This intermediate redirector is a JavaScript code that points to a Gmail phishing page.


In one instance highlighted by Zscaler, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was updated to take the user to a Gmail AiTM phishing page on July 16, 2022, connecting the two campaigns to the same threat actor.

"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.

The findings are an indication that multi-factor authentication safeguards alone cannot offer protections against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and refrain from opening attachments or clicking on links in emails sent from untrusted or unknown sources.

Update: Following the publication of the story, Google told The Hacker News that Gmail has "layers of phishing protection" to secure users from these kinds of attacks. "Protections look at many signals even when the phishing links in the message attempt to mask their destination (reputation of the sender, spoofing logos in the message, sender-recipient affinity, and 100s of others)," the company said.

Besides using hardware security keys for multi-factor authentication to eliminate AiTM attacks, the tech giant noted its Safe Browsing service is capable of detecting all of the still live phishing domains as malicious and therefore blocking users from navigating to the fraudulent login pages in the browser.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.