The cybercrime world has shown significant interest in an open source phishing kit known as the adversary-in-the-middle (AiTM) due to its capacity to orchestrate large-scale attacks. DEV-1101, the emerging alias for the threat actor responsible for creating the kit, is being monitored by Microsoft Threat Intelligence.
AiTM phishing attacks involve deploying a proxy server between the user and the website, allowing the attacker to intercept session cookies and passwords. These attacks are particularly effective as they can bypass multi-factor authentication (MFA) safeguards.
According to a technical report by Microsoft, DEV-1101 is responsible for developing multiple phishing kits that are available for purchase or rental by other criminal actors. The use of such kits in the cybercriminal economy reduces the effort and resources required to launch a phishing campaign, thus lowering the barrier of entry for cybercrime.
This service-based economy also leads to double theft, wherein the stolen credentials are sent to both the phishing-as-a-service provider and their customers. The open source kit developed by DEV-1101 offers features such as the ability to set up phishing landing pages that mimic Microsoft Office and Outlook, manage campaigns from mobile devices, and use CAPTCHA checks to evade detection.
The attack sequence initiates with email messages that have a document theme and include a link to a PDF document. Upon clicking the link, the recipient is directed to a login page that impersonates Microsoft’s sign-in portal. However, before gaining access, the victim is prompted to complete a CAPTCHA step.