‘Adversary in the middle attacks’ are becoming hackers’ go-to method to bypass MFA

Microsoft has announced it has taken legal action to disrupt over 240 fraudulent websites owned by an Egypt-based cyber crime group, noting the tactics deployed in the DIY phishing operation reflect a broader shift in the industry.

The firm published a blog revealing its Digital Crimes Units (DCU) had disrupted the pages associated with Abanoub Nady, known online as MRxC0DER, who developed and sold DIY phishing kits fraudulently using the ONNX brand.

“Numerous cyber criminal and online threat actors purchased these kits and used them in widespread phishing campaigns to bypass additional security measures and break into Microsoft customer accounts,” Microsoft said.

Microsoft claimed the fraudulent ONNX operation reflected the “advancing sophistication of online threats”, using adversary in the middle (AiTM) techniques to bypass security layers like multifactor

AiTM attacks are a variant of the man in the middle (MiTM) attacks, where cyber criminals intercept communications between two parties to steal data.

In an AiTM attack, the threat actors can also actively interfere with these communications, such as modifying the messages rather than simply relaying them.

The blog said AiTM attacks have become the “go-to” method used by malicious actors to bypass multifactor authentication (MFA) protection layers.

In the company’s annual Digital Defense report, Microsoft said it observed a 146% rise in AiTM attacks alone this year.

Microsoft also noted that the Financial Industry Regulatory Authority (FINRA) recently published an alert warning of a spike of AiTM attacks against members fueled by the fraudulent ONNX operation.

Fake ONNX project one of the most popular PhaaS providers in first half of 2024

The tech giant found the fraudulent ONNX operation was among the top five phishing as a service (PhaaS) providers by email volume in the first half of 2024.

Nady promoted his DIY phishing kits through Telegram, offering a variety of subscription tiers ranging from $150 and $550 per month, with kits developed to target popular companies including Google, Microsoft, and Dropbox.

“Much like how e-commerce businesses sell products, Abanoub Nady and his associates marketed and sold their illicit offerings through branded storefronts, including the fraudulent ‘ONNX Store’,” the blog noted.

The original ONNX name and logo used by the Nady is owned by the Linux Foundation and represents the Open Neural Network Exchange, an open standard format and open source runtime for representing machine learning models.

“At the Linux Foundation, we advocate collaboration as a powerful tool for tackling complex challenges. Today, we celebrate our recent collaboration with Microsoft to defend millions of individuals and organizations from a global phishing-as-a-service criminal operation.”

“We encourage organizations who find themselves in a position to fight one element of a cybercrime problem to identify ways to collaborate and build a stronger collective response."

Microsoft noted that “no disruption is complete in one action”, adding that combatting operations like Nady’s ONNX requires determination and ongoing vigilance to keep disrupting new malicious infrastructure.

The blog warned that cyber criminals will continue to evolve their methods, warning it is crucial for organizations and individuals to stay informed and vigilant for the latest techniques leveraged by adversaries.