AitM Phishing Attacks Target US Organizations with Conduct Reports

Microsoft has issued a warning regarding a sophisticated Phishing campaign that leverages Adversary-in-the-Middle (AitM) techniques to target organizations across the United States. According to SecurityWeek, the attackers utilize deceptive emails claiming to contain an employee conduct report to lure victims into interacting with malicious infrastructure. This [adversary-in-the-middle phishing campaign targeting US businesses] is specifically designed to circumvent multi-factor authentication (MFA) by proxying the authentication process in real-time.

Analysis of the AitM Attack Chain

The campaign begins with a highly targeted email that utilizes social engineering to create a sense of urgency or professional necessity. By referencing a “conduct report,” the attackers increase the likelihood that a recipient will click the embedded link to investigate the alleged document. This initial TTP is standard, yet effective, as it exploits corporate compliance workflows.

Once a user clicks the link, they are directed to a phishing site that acts as a transparent proxy between the victim and the legitimate Microsoft 365 login page. Unlike traditional phishing, which merely steals credentials, AitM attacks allow the threat actor to intercept the entire authentication flow. When the user enters their credentials and completes the MFA challenge—whether via SMS, voice, or a push notification—the attacker’s server captures the resulting session token.

This session token is then used by the attacker to gain unauthorized access to the user’s account, completely bypassing the need for the original password or MFA device in subsequent requests. This method is particularly effective for achieving Lateral Movement within a compromised environment, as an established session can often be used to access sensitive internal resources or launch further internal phishing attacks.

[How to detect AitM phishing attacks] and Prevent Session Theft

Detecting AitM activity requires a focus on session-level anomalies rather than just credential validation. A SOC should prioritize the identification of mismatched IP addresses between the initial login and subsequent session activity. Because the attacker proxies the connection, the IP address seen by the service provider often belongs to the attacker’s infrastructure (frequently a VPS or a hijacked legitimate site) rather than the user’s known location.

Security teams should also configure their SIEM to alert on unusual User-Agent strings or impossible travel signatures associated with authenticated sessions. Mapping these activities to the MITRE ATT&CK framework—specifically focusing on Adversary-in-the-Middle (T1557)—can help defenders visualize the attack surface and identify gaps in existing telemetry.

Mitigation and [Microsoft 365 session hijacking mitigation] Strategies

Standard MFA is no longer a sufficient defense against sophisticated AitM proxying. To enhance resilience, organizations must move toward Zero Trust architecture and implement phishing-resistant authentication methods.

1. Phishing-Resistant MFA: Deploying FIDO2-compliant security keys or Windows Hello for Business ensures that the authentication process is cryptographically bound to the legitimate domain, making it impossible for a proxy server to intercept the challenge-response.
2. Conditional Access Policies: Implement strict policies that require compliant, managed devices for access to sensitive applications. By restricting access to only those devices enrolled in an EDR or Mobile Device Management (MDM) solution, organizations can block tokens captured on unmanaged attacker infrastructure.
3. Session Lifetime Management: Reducing the duration of web sessions and requiring frequent re-authentication for high-risk actions can limit the window of opportunity for an attacker using a stolen token.

By focusing on these technical controls, organizations can significantly reduce the risk posed by this sophisticated campaign and ensure that compromised credentials do not lead to full-scale account takeovers.