Company News
28 Mar, 2022
We have moved!
Redloft Technology are excited to announce that our head office has moved to a new location to support our ever growing highly-skilled team.
Cyber Security - AiTM Phishing and Business Email Compromise
Author
Tim Mansell
My email was compromised and the attackers sent malicious links to all my customer and suppliers - sound familiar? Hopefully not.
Multi-Stage AiTM Phishing & BEC Attacks Targeting Enterprise Email
Source: The Hacker News
TLDR (too long; didn't read): Step 1: You receive an email from a well-known contact, Step 2: the email includes a link to a PDF/Word document, Step 3: the document asks you to authenticate with your company email, Step 4: your credentials are stolen, Step 5: your account is compromised, Step 6: the attacker sends over 3000 emails to all of your contacts, customers, and suppliers with a phishing link. Your company data/network/security is compromised. Go to Step 1.
We’re highlighting the importance of Cyber Security and User Awareness for one of the most (currently) common threats. This is not a new threat, we've seen this setup for a long time, we're raising awareness as the threat campaign is particularly active right now and you, your employees, colleagues, customers and suppliers all need to make an effort to stop and think.
When it comes to IT, running a business requires multiple lines of defense; documented policies and procedures, cloud and device-based security software, and user awareness training, even so the attackers are working full time using advanced techniques and multi-stage campaigns to find a way into your business.
Microsoft has recently raised the alarm on a sophisticated multi-stage phishing campaign leveraging Adversary-in-the-Middle (AiTM) techniques combined with Business Email Compromise (BEC). They mention the Energy Sector being targeted, but at Redloft we see and stop this type of sophisticated attack regularly for customers just like you.
This isn’t your typical phishing scam, it’s a multi-phase, highly stealthy threat that abuses trusted services to evade detection and maintain long-term access.
What is an AiTM attack?
An Adversary-in-the-Middle (AiTM) attack sits directly between a user and a legitimate login flow. Unlike standard phishing which simply tricks a user into entering credentials. AiTM actively captures credentials, multifactor authentication (MFA) responses, and session cookies in real time. These stolen tokens often let the attacker bypass MFA and impersonate the user without ever triggering alerts in traditional systems. (Microsoft)
This type of attack has been escalating in recent years, targeting Microsoft 365, Okta, Google Workspace, and other identity platforms. (The Hacker News)
How do they get in?
1. Initial Compromise via Trusted Sender
Threat actors begin by sending phishing emails from a legitimate but compromised account, often mimicking SharePoint or file-sharing communications. These messages are far more likely to bypass email filters because they originate from trusted infrastructure. (The Hacker News)
2. Phishing Link Hits Fake Login Page
Recipients who click the link are redirected to a convincing credential prompt. Behind the scenes, the AiTM infrastructure captures not just the password, but also MFA tokens and session cookies. (Microsoft)
3. Inbox Rule Creation
Once inside, attackers create malicious inbox rules that delete incoming mail or mark it as read, effectively hiding their activity and disabling notifications that might alert the victim or security teams. (The Hacker News)
4. Mass Strategic BEC
With access locked in, the attackers send a large volume of further phishing emails, often targeting internal contacts and external partners, continuing the cycle of compromise. (Microsoft)
This blend of AiTM and BEC isn’t just sophisticated, it’s remarkably resilient. Simply resetting a password often is not enough because session cookies and MFA manipulations still grant ongoing access. (The Hacker News)
Flow of attack (Courtesy of Microsoft):
Why does this matter to you?
Trying not the mention the most recent high-profile attack on a UK car manufacturer, but this can affect everyone in the supply-chain, employees, employers, customers, suppliers - people lose jobs, their businesses and ultimately it can impact all of us. We are all responsible.
This is a real threat, automated, and weaponising customer trust in major cloud services. Attackers are increasingly depending on living-off-trusted-sites (LOTS) tactics, using legitimate cloud platforms like SharePoint, OneDrive, AWS, and Google Drive to host phishing content that slips past detection filters. (The Hacker News)
Goal of their campaign:
Bypass MFA protections.
Stealthily hijack accounts.
Expand compromise laterally across organisations.
How to defend against these attacks?
To protect your business and its identity infrastructure, consider the following best practices:
Harden Identity Security
Phishing-resistant MFA - Prefer protocols like FIDO2 or certificate-based authentication, compliant and managed devices with Microsoft 365. (Microsoft)
Conditional Access Policies - Enforce access controls based on user risk, location, or device status. (Microsoft)
Monitor Anomalies
Inspect mailbox rules - Alerts for new or suspicious rules can reveal hidden compromise. (Microsoft)
Correlate login behaviours - Watch for impossible travel, unfamiliar IP addresses, and session token reuse.
Leverage Advanced Detection
Platforms like Microsoft Defender XDR can automatically detect and disrupt AiTM attack flows, including disabling compromised accounts and revoking stolen session cookies, actions that go beyond simple password resets. (TECHCOMMUNITY.MICROSOFT.COM)
What should you do next?
Organisations must evolve their defensive strategy beyond classic email filtering and password policies. With threat actors increasingly blurring the line between legitimate services and malicious intent, protecting identities and access pathways has become the front line of cybersecurity.
At Redloft Technology, we help businesses assess identity risk, implement strong MFA and conditional access controls, and align security operations to detect and respond to advanced threats like AiTM phishing and BEC.
Contact us today to discuss Managed IT plans, Cyber Essentials, Penetration Testing or to simply ask for advice.
Tags
Related Posts
All posts
Business and Industry
15 Mar, 2023
What does the Spring Budget 2023 mean for UK business
Businesses can benefit from grants to purchase new IT equipment, as well as tax credits for research and development.
Software
23 Mar, 2023
Microsoft Office 2013 End of Support
Support for Microsoft Office 2013 will cease on 11th April 2023.
Software
8 Mar, 2024
3CX have launched V20
Two years in the making, 3CX Version 20 Final is heralded as the future of business telephony.
Security
30 Mar, 2024
World Backup Day - 31st March
World Backup Day, observed annually on 31st March, serves as a reminder of the critical importance of data backup in our digital age
Business and Industry
25 Oct, 2024
AI in Business: Unleashing the Power of Copilot and ChatGPT
Artificial Intelligence (AI) has become a transformative force in the business world, offering tools that enhance efficiency, decision-making, and productivity. Among the growing suite of AI-driven technologies, Copilot and ChatGPT stand out as game-changers. These tools, designed to streamline workflows and augment human capabilities, have sparked both excitement and debate. Here’s a balanced look at the potential of these AI tools, the data privacy concerns they raise, and the considerations businesses need to keep in mind.
Business and Industry
6 Nov, 2024
Managed IT Support in Coleshill
Empowering Small Businesses with Redloft Technology
Cloud Services
9 Dec, 2024
Understanding Microsoft 365 – Part 4: Microsoft Planner
In our previous posts, we explored Microsoft 365’s cloud storage, Microsoft Teams, and how they streamline collaboration. Now, in Part 4, we’ll dive into Microsoft Planner, a flexible and easy-to-use project management tool that integrates directly with Microsoft 365. Planner is ideal for tracking tasks, managing projects, and keeping teams aligned, making it a valuable addition to any modern workplace.
Security
5 Aug, 2025
Why Managed IT is essential for your business
The Growing Threat of Cyber Attacks in the UK - Why Managed IT Services are now Essential
Security
30 Sep, 2025
UK’s Cyber Storm: Is Your Business Next?
Why Do Businesses Keep Getting Hacked and Why Managed IT is Essential
Business and Industry
A week ago
Choosing the right Cyber Essentials certification partner
It's us, obviously...
Cloud Services
21 May, 2021
Cloud based telephone systems
Cloud technology impacts us daily, from file storage to streaming box sets. We consume cloud without a second thought. It has transformed business operations in many aspects of business.
Cloud Services
18 Nov, 2024
Understanding Microsoft 365 – Part 1: What is Microsoft 365?
Microsoft 365 is packed with powerful tools for modern businesses, but it’s often underutilized or misunderstood—a challenge we encounter frequently when working with new clients. In this series, we’ll demystify Microsoft 365, clear up misconceptions, and share tips to help you maximise your subscription. Let’s start by exploring what Microsoft 365 is, where it came from, and what it includes today.
Cloud Services
2 Dec, 2024
Understanding Microsoft 365 – Part 3: Microsoft Teams
In Parts 1 and 2 of this series, we covered the origins of Microsoft 365 and explored its cloud storage solutions, OneDrive and SharePoint. In Part 3, we’ll look at Microsoft Teams, the collaboration hub that brings communication, file sharing, and productivity tools together in one place. Since its launch, Teams has transformed how businesses communicate, making it a powerful asset for remote and in-office work alike.
Cloud Services
16 Jul, 2021
Microsoft Windows 365 launched
Microsoft has launched a new cloud service, we look into what this service looks like, what it can do, and why you might use it.
Business and Industry
17 Mar, 2023
Microsoft announce Microsoft 365 Copilot
Microsoft announced it’s next-generation AI tool - Microsoft 365 Copilot.
Cloud Services
25 Nov, 2024
Understanding Microsoft 365 – Part 2: Cloud Storage
In Part 1 of this series, we explored the evolution and scope of Microsoft 365. Today, we’re diving into one of the most crucial components for modern businesses: cloud storage. Microsoft 365 offers two powerful storage solutions—OneDrive and SharePoint—designed to make file storage, sharing, and collaboration seamless. In this post, we’ll cover what each tool offers, their key differences, and practical advice on using them to enhance productivity and data security.
Cloud Services
16 Dec, 2024
Understanding Microsoft 365 – Part 5: Security and Policy
Throughout this series, we’ve explored Microsoft 365’s productivity tools, from cloud storage and collaboration with Teams to task management with Planner. Now, in our final post, we’ll examine the robust security and device management tools in Microsoft 365. In a world where cyber threats are constantly evolving, securing data and managing devices are critical to maintaining a safe, efficient workplace. Microsoft 365 provides a range of security and device management solutions designed to protect businesses from data breaches, cyber-attacks, and other security risks.
Security
13 Nov, 2024
Shadow IT: Is Your Data Going Rogue?
With countless apps and tools at our fingertips, it’s easy for data to end up in unexpected places. Shadow IT—unapproved tools and software used by employees—can make it harder than ever to keep track of your business information. So, do you really know where all your data is right now? If you’re not sure, it might be time to shine a light on Shadow IT.
Security
9 Sep, 2021
Are passwords still secure?
With multi factor authentication upping the anti of application security, in isolation passwords are now seen as a somewhat basic security feature. However they are still an important aspect of your data protection. After all, what’s the benefit of two-factor authentication if one level is overly simple to override.
Cloud Services
28 Feb, 2023
Understanding the benefits of private cloud
We discuss the trend of moving to and the benefits of private cloud.