The open source AiTM phishing kit developed by DEV-1101 has become increasingly popular among cybercriminals due to its ability to launch large-scale attacks and circumvent multi-factor authentication. Microsoft Threat Intelligence is closely monitoring the activities of the threat actor behind the kit and has linked them to several phishing campaigns that have targeted millions of users.
One of the most prominent patrons of DEV-1101’s kit is a group known as DEV-0928, which has been linked to a phishing campaign comprising over one million emails since September 2022. The attack begins with document-themed emails that contain a link to a PDF document. When clicked, the recipient is directed to a fake login page that mimics Microsoft’s sign-in portal. The victim is then prompted to complete a CAPTCHA step before entering their login credentials.
According to Microsoft, the inclusion of CAPTCHA in the phishing sequence is intended to make it more difficult for automated systems to reach the final phishing page. However, a human can easily bypass the CAPTCHA and proceed to the next page. The AiTM phishing kit also includes features that allow cybercriminals to set up landing pages that mimic Microsoft Office and Outlook, manage campaigns from mobile devices, and evade detection with CAPTCHA checks.
The emergence of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime. The service-based economy that fuels such offerings can also result in double theft, wherein the stolen credentials are sent to both the phishing-as-a-service provider as well as their customers.
To protect against such attacks, it is crucial that organizations adopt phishing-resistant authentication methods, such as using FIDO2 security keys, to block suspicious login attempts. Additionally, organizations should provide regular security awareness training to employees to ensure they can identify and report suspicious activity.