Page 103 - Cyber Defense eMagazine March 2024
P. 103
Adversary in the Middle: Transparent Proxy Phishing
One of the worst tactics in the adversary playbook is session token theft via transparent proxy phishing.
This attack is insidious. Our partners often ask, “Now that I’ve implemented multi-factor authentication on
my account, I should be safe, right?” Transparent proxy phishing is the reason why experts can’t answer
“yes” when they ask that question.
The premise for this attack is simple: multi-factor authentication (MFA) would stop an attack in progress
given that the adversary doesn’t possess the additional authentication factor at the time of the attack. But
most modern websites, including the Microsoft 365 login portal, grant a session token to the user after
the user logs in with their password and provides their additional factor for authentication. Once that
session token is in the user’s browser, it becomes a de facto proof of identity for that user. So, why not
steal that session token instead?
The adversary tricks the victim into visiting their attacker-controlled domain. When the victim visits this
domain, usually after receiving a phishing email with a link that directs them there, they see the Microsoft
365 login portal. The victim figures there’s some weird error going on and they need to log back into
Microsoft 365. Unfortunately, they’re entering their credentials into a transparent proxy, which brokers
the victim’s session with the actual Microsoft 365 page.
The victim enters their password, which is captured by the evil server in the middle. The evil server relays
the password to the real Microsoft 365 login site, which passes the first authentication stage. Microsoft
365 then requests the additional factor, which is relayed back to the victim through the evil server. When
the victim completes the additional factor, the session passes authentication and the resulting session
token is delivered to the victim’s browser…by traveling through the evil server! The adversary effectively
captures the session token while it’s on its way back to the user and can inject it into their own browser
to log into the victim’s account. Dastardly!
Much like the classic vampire of legend, these attacks can’t hurt individuals or businesses unless they’re
invited in. Social engineering is still the primary method for delivering the links that result in a user landing
on one of these transparent proxy login pages. The URL of the site in question is still the most trusted
source to determine if the website is legitimate or not. For example, a user who wants to log into Microsoft
365 should expect to land on “login.onmicrosoft[.]com” and not “some.evilsite[.]com”.
End users in regards to this attack should keep a healthy amount of suspicion for the links that people
are asking you to click. Verify with the person that’s supposedly sending you this link. Did they actually
send it? Is there urgency about the situation? Have they tried to build rapport with you to coerce you into
clicking? This attack can compromise even the hard targets who protect their accounts with MFA, so it’s
worth the due scrutiny and time needed to verify.
Credential Attacks: Password Sprays, Credential Stuffing, Brute Forcing
For individuals out there who don’t use MFA, the threat equation is much more simple. For any accounts
that don’t have an additional factor, an adversary would either have to guess or acquire the victim’s
password to log in as that identity. These credential attacks come in three flavors; password spraying,
Cyber Defense eMagazine – March 2024 Edition 103
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
