Understanding, Detecting, and Protecting Against AiTM Attacks

Cyber security company team members discussing system difficulties over shared device

An Adversary-in-the-Middle (AitM) attack is a high-risk form of cyber attack where a malicious actor positions themselves between two communicating parties to intercept, manipulate, or redirect data traffic.

How are AiTM attacks carried out?

In an AitM attack, the attacker positions themselves between the sender and receiver of data or communication. This can be done through various methods such as DNS manipulation, ARP spoofing, or exploiting vulnerabilities in network protocols. By placing themselves in this position, attackers can intercept communication without the knowledge of the communicating parties. For instance, they might alter the routing of data packets or use techniques like DNS poisoning to redirect traffic through their malicious servers.

Attackers often use reverse-proxy functionality to create convincing replicas of legitimate websites. When a user enters their credentials on this fake site, the attacker captures the authentication process by forwarding the credentials to the real site. This allows the attacker to steal session cookies, effectively bypassing multi-factor authentication (MFA) and gaining unauthorised access to the user’s account.

While the process is sophisticated, access to the tools required to carry out an AiTM attack is unfortunately simple, and the result can deceive even the most vigilant users, making it a powerful tool for attackers.

The potential risks associated with AiTM attacks

Credential Harvesting

One of the primary goals of AitM attacks is to harvest credentials. By intercepting login credentials, attackers can gain unauthorised access to various accounts and systems. This can lead to further exploitation, such as identity theft, unauthorised transactions, or accessing sensitive information.

Data Manipulation and Eavesdropping

Attackers can manipulate intercepted data, altering it to serve their purposes or injecting malicious code. This can compromise the integrity of the communication and lead to the accidental spread of dangerous content or code. Additionally, eavesdropping allows attackers to monitor sensitive communications, which can be used for espionage or data theft.

Phishing, Spoofing, and Malware Delivery

AiTM attacks can also be used to carry out phishing. By impersonating legitimate entities, attackers can deceive victims into disclosing sensitive information or performing actions that compromise their security. The attacker’s position also allows them to deliver malicious software for future attacks, further infecting the victim’s system and expanding their control.

Business Email Compromise (BEC)

AitM attacks can lead to Business Email Compromise (BEC), where attackers use stolen access to conduct fraudulent activities. This can result in significant financial losses for organisations, as attackers manipulate email communications to siphon funds or sensitive information.

Corporate Round Table Discussion on Laptops

Detecting AiTM Attacks in 10 Steps

1. Monitoring Suspicious Login Patterns

Organisations should monitor for logins from unusual IP addresses, locations, or devices that don’t match the user’s typical behaviour. Anomalies in login patterns can indicate that an attacker is attempting to gain access.

2. Implementing Advanced Threat Detection Systems

Tools like those available within Microsoft Defender XDR and Entra ID Protection can detect activities related to AitM attacks, such as session cookie theft and attempts to use stolen cookies to sign into services. These systems provide comprehensive visibility across multiple domains, enabling early detection and response.

3. Analysing Network Traffic

Regular analysis of network traffic can reveal signs of proxy servers or unusual routing that could indicate an attacker intercepting communications. By monitoring traffic patterns, organisations can identify and address potential threats.

4. Utilising Threat Intelligence Feeds

Ingesting data on known malicious sites and infrastructure used in AitM campaigns can help organisations block access to these threats. Threat intelligence feeds provide up-to-date information on emerging threats, enabling proactive defence measures.

5. Deploying Detection Tools for Phishing Toolkits and Cloned Websites

Browser-based detection tools can identify AitM toolkits like Evilginx and EvilNoVNC. These tools can detect cloned websites and phishing attempts, providing an additional layer of protection.

6. Monitoring Unauthorised Changes to MFA Settings

Attackers often try to modify MFA methods after gaining initial access. Regular monitoring for unauthorised changes to MFA settings can help detect and prevent further compromise.

7. Implementing Browser-in-the-Browser (BITB) Attack Detection

Sophisticated phishing techniques like BITB attacks can be identified with proper monitoring. Organisations should employ detection mechanisms to recognise and respond to these advanced threats.

8. Using Fingerprinting Tools

Developing or utilising tools that can fingerprint AitM sites helps track individual actors and their techniques. This information can be used to enhance threat intelligence and improve detection capabilities.

9. Enabling Microsoft's Attack Disruption Feature

This feature (within Microsoft Defender XDR) can automatically disable potentially compromised accounts and provide alerts tagged with “AiTM attack.” By correlating signals from different sources, it can identify high-confidence AitM attacks and take action to prevent further malicious activity.

10. Regularly Updating Incident Response Playbooks

Organisations should continuously update and review incident response playbooks to account for SSO account compromises and potential lateral movement across cloud apps. A well-prepared incident response plan is crucial for effectively managing and mitigating AitM attacks.

Two Women Looking at Data on a Laptop

5 Tips to Help Protect Against AiTM Attacks

Being able to detect and remediate a potential in-progress AiTM is vital, but there are steps you can take to not only lower your chances of falling victim to these threat actors’ tactics but also maintain greater data and asset security should they succeed.

1. Implementing Strong Encryption

Encryption is a fundamental defence mechanism against AitM attacks. By encrypting data at wireless access points and other endpoints, organisations can make it significantly more difficult for attackers to intercept and manipulate communications. Using protocols like WPA3 for wireless networks and ensuring that all data in transit is encrypted can greatly enhance security.

2. Utilising VPNs and Enforcing HTTPS

Virtual Private Networks (VPNs) provide a secure tunnel for data transmission, making it challenging for attackers to intercept sensitive information. Enforcing HTTPS also ensures that data exchanged between the user’s browser and the website is encrypted, preventing attackers from exploiting intercepted data.

3. Network Segmentation

Isolating critical infrastructure components through network segmentation can limit the impact of an AitM attack. By creating separate network segments for sensitive systems, organisations can prevent attackers from easily moving laterally within the network.

4. Implementing Intrusion Detection Systems

Network intrusion detection and prevention systems (IDS/IPS) are essential tools for identifying and mitigating AitM activity. These systems can monitor network traffic for signs of unusual behaviour or known attack patterns, providing early detection and response capabilities.

5. Prioritising Passwordless Authentication

Strengthening your organisation’s authentication requirements through the use of passwordless access via cryptographic authentication methods, physical FIDO2 security keys, passkeys, or other compliant services (such as Windows Hello) adds an additional layer of protection that is markedly less vulnerable to AiTM attacks.

Professional Man and Woman at Whiteboard

No matter where you are in your access and identity journey, Threatscape’s team of experts can help ensure you get the most out of your Microsoft Security solutions.

Threatscape are one of very few specialised security companies with a dedicated Microsoft Security Practice. Our expertise in this space is reflected in our status as a Solutions Partner in Security with three advanced specialisations, and as five-time winners of the Microsoft Security Partner of The Year Award. Our consultants work exclusively with Microsoft Security solutions to provide a range of managed and professional services.

Threatscape’s complimentary Microsoft Entra ID Advisory Service helps you to understand the identity threats that our Microsoft experts see lodged against organisations every day, and the associated security protections available within your Microsoft 365 licence.  

During your no-obligation consultation with one of our consultants, you’ll gain insight and recommendations on how Entra ID and other capabilities within Microsoft 365 help defend cloud identities against a wealth of threats. 

You may also be interested in these articles:

welcome

JOIN OUR nEWSLETTER

Contact Us