CTAs Using Adversary in the Middle (AiTM) Phishing Attacks
By: The Center for Internet Security® (CIS®) Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®)
Published January 8, 2023
The Center for Internet Security® (CIS®) Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) assesses with moderate confidence that cyber threat actors (CTAs) will continue to employ Adversary in the Middle (AiTM) attacks opportunistically against U.S. State, Local, Tribal, and Territorial (SLTT) government entities.
AiTM attacks enable CTAs to exploit vulnerabilities in digital communication channels and bypass multi-factor authentication (MFA). CTAs can intercept, manipulate, and steal sensitive information, causing the victim financial loss or reputational damage. This technique highlights the threat actor’s ability to innovate new ways to bypass defensive solutions such as MFA.
In the past, effective AiTM phishing attempts required CTAs to leverage strong technical capabilities. CTAs crafted a phishing email, built a convincing fake landing page, and set up the reverse proxy to capture the credentials. However, the popularity of Phishing as a Service (PhaaS) cybercrime options enables threat actors to purchase the necessary components out of the box. This has lowered the barrier of entry for CTAs with limited technical proficiencies.
Harnessing Phishing Tools for AiTM Attacks
Many open-source phishing tools enable lower-skilled CTAs to launch successful attacks. One of the most popular tools is the open-source phishing framework “EvilGinx3,” which offers enhanced capabilities beyond its predecessor, EvilGinx. The current iteration is an independent application built using the Go programming language. It incorporates its own HTTP and DNS servers, greatly simplifying the process of setting up and deploying an AiTM phishing attack. EvilGinx3 includes custom phishing login pages, known as “phishlets.” According to Janbakker.tech, CTAs can use those pages to create custom Office 365 login pages; mimic other popular websites such as Amazon, LinkedIn, Facebook, and X; and serve them to victims.
Below is a look at the EvilGinx3 main menu. As seen through a terminal session, it's displaying the tool's user interface, resources, and phishlets provided. This interface is where a CTA would configure and activate the deceptive pages for their phishing campaign.
Figure 1: EvilGinx3 Main Menu
Other phishing tools include Muraena, Modlishka, and EvilProxy. EvilProxy is a PhaaS platform available for purchase at $400 per month via Telegram. The software is simple to deploy and includes an easy-to-use graphical user interface (GUI), ready-to-deploy phishing pages, and instructional videos.
AiTM Phishing Campaign Example
CTAs deploying AiTM attacks are known to conduct opportunistic and widespread phishing campaigns as well as more targeted spear-phishing emails. To accomplish this, CTAs often leverage legitimate services unlikely to raise the target users’ suspicion. For example, Microsoft spotted CTAs using Canva, a free online graphic design tool, to craft convincing emails that mask the link to their phishing URL.
Once the victim clicks the Canva link, they encounter a graphic containing a call-to-action button with a label such as “Download Invoice” that disguises the malicious domain. After clicking the button, the attack redirects the victim to the malicious domain. At this stage, an AiTM phishing tool such as EvilGinx3 establishes a man-in-the-middle presence via a reverse proxy server between the user and the targeted application. As a result, the victim lands on a look-alike landing page tailored to target specific credentials, such as Microsoft Outlook. This positioning enables the CTA to eavesdrop on the communication between the target parties, whether by sniffing network traffic or manipulating transmitted data. The endpoints targeted can include a user and an application, a user and another user, or two devices. This access enables the attacker to potentially intercept user credentials, session cookies, and MFA authentication codes as well as manipulate the victim’s Domain Name System (DNS) settings to drop malware.
After successfully logging into the AiTM phishing page, the attack requires the victim to use MFA for an additional layer of verification. Once the user’s authentication is confirmed, the attack directs them to their original email client, such as Microsoft Outlook. By authenticating through the CTA’s spoofed login page, the victim unwittingly enables the CTA to capture their login credentials and session cookies. With tools like “Cookie Editor,” CTAs can transplant the stolen authenticated session cookie and infiltrate the compromised account without further authorization, effectively bypassing MFA.
The following flowchart illustrates the stages of an AiTM phishing attack, as described previously.
Figure 2: AiTM Attack Lifecyle
Adversary-in-the-Middle Leads to Financial Fraud
As we've previously discussed, cybercriminals look to leverage compromised accounts and systems for financial gain. For example, CTAs use compromised email accounts for Business Email Compromise (BEC) schemes where they leverage trusted email accounts to convince other users to send money. In 2022, the Internet Crime and Complaint Center (IC3) received 21,832 BEC complaints with adjusted losses of over $2.7 billion.
CTAs also use AiTM tactics, techniques, and procedures (TTPs) to compromise sessions for other forms of financial fraud. In Q2 2023, the MS-ISAC observed multiple cases where CTAs employed an AiTM attack to harvest victims’ payroll login credentials. In one case, the CTA made a series of unauthorized changes to the victim’s direct deposit settings, rerouting their payroll funds into accounts owned by the attacker.
How to Defend Against AiTM Phishing Attacks
To mitigate the risk of AiTM attacks, we recommend that you implement a defense-in-depth security approach, regular user training, and network monitoring.
The most common remediation technique for an account compromise is to change the impacted user’s password. However, in an AiTM attack, a password change will not solve the issue. This is because the user's sign-in session is compromised.
A more effective way to defend against AiTM is by implementing the following procedures:
- Set conditional access policies within a user’s MFA settings.
- Create group policies that prohibit self-signed certificates.
- Register for Malicious Domain Blocking and Reporting (MDBR), an MS-ISAC service which automatically blocks web requests to known malicious websites, including websites used in phishing campaigns.
- Perform continuous monitoring of suspicious activity, including:
- Sign-in attempts
- Unidentified or suspicious inbox rules
- Changes in MFA settings
- Implement a DMARC policy.
- Mark emails from external sources.
Want more recommendations on how to defend against AiTM phishing and other cyber threats?
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.
Supported via cooperative agreement No. 23CISMSI00003-01-01 - 09/29/2025 awarded through the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (U.S. DHS). The analysis, findings, and conclusions or recommendations expressed in this document are those of the MS-ISAC and EI-ISAC.
