Phising-as-a-service attacks just got smarter

Attackers focus their PhaaS models with “adversary in the middle” adjustments

Phishing is a reliable attack method for threat actors, effective enough it’s now sold on dark markets as a service. Hopeful hackers can inquire about phishing kits providing a range of malicious templates and targets, incorporated with social-engineering techniques to prey on victims. It’s a staggering problem, enabling otherwise inexperienced users to acquire powerful malware tools and launch hacking campaigns against various targets.

Microsoft has also discovered an escalation in these PhaaS models: the usage of adversary-in-the-middle techniques (AitM).

Phishing involves the use of social-engineering techniques – deception – to steal credentials from unaware users. It has existed for decades and exploited mass communication like email for maximum impact.

AitM is a secondary characteristic of modern phishing schema. It follows a similar path – whereby a deceptive message is sent to an individual. The difference, however, is that the links or redirects within a message do not take the user to a malicious domain, and instead a phishing page with falsified verification methods. These verification methods, like “bot checks,” are designed to instill a sense of security. Additionally, they redirect to a phishing page that uses MFA-credential theft methods.

If the AitM attack is successful, the hacker will exfiltrate data, information, and implement them in various attack campaigns. Examples include business email compromise schema or misinformation campaigns.

The goal of AitM attacks is to appear as a “synchronous” login platform. Primarily, it is in response to MFA authentication methods and tokens, in hopes to circumvent them as an otherwise versatile defense.

Why it’s a threat

Any organization will understand the threat capabilities of phishing and its ability to compromise security, even if that security is resilient in posture.

But PhaaS attacks, combined with “middle adversaries” present a whole new quandary. MFA is an effective way of preventing basic security compromise. But if phishing methods specifically target this authentication process, it’s something IT leaders and security chiefs must address. In other words, it’s a token theft attempt, even if all standard MFA standards have been met.

Agility and swift response are necessary to mitigate the potential damage caused by these “middle-men” attacks. However, a more efficient and proactive method is to engage in preventative measures. It’s the standard problem in the cybersecurity and IT realm essentially: every advancement benefits both security posture and attacker positioning.

What steps can I take to avoid AitM and Phishing Attacks?

There are a number of actions your enterprise can perform to help reduce both the risk and intrusion of phishing-based attacks. First, understand that hackers will become increasingly advanced in their methods to target cybersecurity strategies. In this instance, AitM directly targets MFA security with token theft. Second, know this advancement is constant. As mentioned, even threat actors with a basic understanding of hacking can purchase kits and services to launch complex campaigns against targets. It’s important not to underestimate potential threats, nor overestimate your own security posture.

That said, you aren’t alone. Phishing will always remain a consistent danger. Using a combination of cybersecurity education and zero-trust policies can help identify potentially malicious messages. Any email or SMS text containing links without a prompt from an administrator is cause for suspicion, depending on the IT setup.

As for preventing middle-man attacks, this part is trickier. Catching an AitM attack requires active monitoring, which not all organizations utilize. There are, however, resources to take advantage of to improve IT defense.

Implement Encryption

Strong encryption can mitigate and outright prevent brute-force methods used by attackers and middle-men strategies. It’s also a great way to strengthen your cybersecurity posture in general.

Strengthen All User Credentials

Aside from MFA, all users should still maintain strong login passwords and credentials.

Only HTTPS Connections

Users should only access network websites and resources using HTTPS while on-premises or remote working. HTTPS is secure and encrypted and important for dodging AitM attacks, which typically redirect to an address that is not HTTPS.


Virtual private networks encrypt all connections and protect outgoing data from potential theft. In a business or large-scale IT setting they’re useful for protecting internal LAN environments which hackers attempt to penetrate with phishing or middle-man attacks.

Naturally, what you need and what strategies you should take advantage of come down to the unique needs of your enterprise. However, small or large, all organizations need to prepare for both complex phishing schema and “adversary in the middle” attacks.

Third-party resources and assistance

Even with the resources we’ve discussed and techniques offered, it’s still possible you will need help. It’s common for organizations to invest in MSPs, provides that offer a full range of IT and cybersecurity functions. If you’re concerned about vicious phishing campaigns or middle-man attacks, consider third-party expertise.

Bytagig offers these third-party tools, along with ways to identify potential phishing campaigns and middle-man strategies.

For more information, contact Bytagig today.

Share this post: