"Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users"

A large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services has also targeted Google Workspace users. According to Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu, this campaign specifically targeted chief executives and other senior members of different organizations that use Google Workspace. The AiTM phishing attacks are said to have begun in mid-July 2022, using a similar method to a social engineering campaign designed to steal users' Microsoft credentials and bypass multi-factor authentication (MFA). The low-volume Gmail AiTM phishing campaign also includes the use of compromised emails from chief executives to conduct additional social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take victims to the final landing page. Attack chains involve sending password expiry emails to potential targets that contain an embedded malicious link claiming to extend access. The link takes the recipient to Google Ads and Snapchat redirect pages that load the phishing page URL. Aside from open redirect abuse, a second variant of the attacks uses infected sites to host a Base64-encoded version of the next-stage redirector in the URL. This intermediate redirector is a piece of JavaScript code that directs users to a Gmail phishing page. The redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was updated to take the user to a Gmail AiTM phishing page, connecting the two campaigns to the same threat actor, according to Zscaler. This article continues to discuss the AiTM phishing campaign targeting Google Workspace users.

THN reports "Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users"