Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users

The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting business users of Microsoft email services have also set their sights on Google Workspace users.

“This campaign specifically targeted CEOs and other senior managers of various organizations who use [Google Workspace]“, Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

cyber security

The AiTM phishing attacks reportedly began in mid-July 2022, following a modus operandi similar to a social engineering campaign designed to siphon users’ Microsoft credentials and even bypass multi-factor authentication.

The low-volume Gmail AiTM phishing campaign also involves using the compromised CEO emails to conduct additional social engineering, the attacks also using multiple compromised domains as an intermediate URL redirector to bring victims to the final destination.

Google G Suite Enterprise users

Chains of attack involve sending password expiry emails to potential targets that contain an embedded malicious link to supposedly “extend your access”, pressing which causes the recipient to open Google Ads and Snapchat redirect pages to load phishing page URL.

Besides open redirect abuse, a second variant of the attacks relies on infected sites that host a Base64-encoded version of the next stage redirector and the victim’s email address in the URL. This intermediate redirector is a JavaScript code that points to a Gmail phishing page.

cyber security

In one case highlighted by Zscaler, the redirect page used in the Microsoft AiTM phishing attack on July 11, 2022 was updated to direct the user to a Gmail AiTM phishing page on July 16, 2022, connecting two campaigns to the same threat actor. .

“There was also an overlap of infrastructure, and we even identified several instances in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure,” the researchers said.

Findings indicate that multi-factor authentication safeguards alone cannot provide protection against advanced phishing attacks, which force users to review URLs before entering credentials and refrain from opening attachments or clicking on links in emails sent from untrusted or unknown sources.

Update: Following the story’s publication, Google told The Hacker News that Gmail has “layers of phishing protection” to protect users against these types of attacks. “Protections examine many signals even when phishing links in the message attempt to obscure their destination (sender reputation, spoofed logos in the message, sender-recipient affinity, and hundreds more),” said the society.

Besides using hardware security keys for multi-factor authentication to eliminate AiTM attacks, the tech giant noted its Safe navigation The service is able to detect all still active phishing domains as malicious and thus prevent users from navigating to fraudulent login pages in the browser.

Comments are closed.