Campaigns
Adversary-in-the-Middle: The Rise of AiTM Phishing Kits and the Threat Posed by DEV-1101

Adversary-in-the-Middle: The Rise of AiTM Phishing Kits and the Threat Posed by DEV-1101

DEV-1101PhishingAİTM
AiTM phishing kits, such as those developed by DEV-1101, are increasingly replacing less advanced forms of phishing. These kits can bypass MFA using reverse-proxy functionality and are available for purchase by cybercriminals, lowering the barrier of entry for cybercrime. DEV-1101 offers an open-source kit that automates phishing activity and provides support services to attackers. Since its release in May 2022, the kit has been continually enhanced with features such as managing campaigns from mobile devices and CAPTCHA evasion, making it attractive to actors with varying motivations and targets in any industry or sector.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations
With the growing enablement/adoption of MFA it is expected that AiTM phishing is growing in the upcoming next years (attackers using new techniques). Protecting against AiTM phishing is important.

Protecting is possible based on various configurations:

  • Enable conditional access policies: Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
  • Invest in advanced anti-phishing solutions: that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that can automatically identify and block malicious websites, including those used in this phishing campaign.
  • Continuously monitor for suspicious or anomalous activities:
  • Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).
  • Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.

Reports & References1

Observed Countries250

AD (130)
AE (545)
AF (8)
AG (407)
AI (637)
AL (887)
AM (799)
AO (111)
AQ (160)
AR (167)
AS (307)
AT (852)
AU (729)
AW (394)
AX (265)
AZ (415)
BA (209)
BB (432)
BD (721)
BE (859)
BF (91)
BG (820)
BH (828)
BI (599)
BJ (206)
BL (384)
BM (416)
BN (557)
BO (948)
BQ (469)
BR (278)
BS (357)
BT (344)
BV (253)
BW (386)
BY (148)
BZ (855)
CA (33)
CC (55)
CD (929)
CF (352)
CG (761)
CH (70)
CI (449)
CK (312)
CL (857)
CM (446)
CN (516)
CO (190)
CR (848)
CU (913)
CV (611)
CW (246)
CX (825)
CY (974)
CZ (920)
DE (950)
DJ (932)
DK (888)
DM (681)
DO (941)
DZ (941)
EC (253)
EE (292)
EG (463)
EH (823)
ER (750)
ES (859)
ET (178)
FI (130)
FJ (405)
FK (801)
FM (274)
FO (826)
FR (395)
GA (123)
GB (54)
GD (607)
GE (452)
GF (207)
GG (48)
GH (394)
GI (115)
GL (957)
GM (531)
GN (327)
GP (987)
GQ (287)
GR (552)
GS (837)
GT (669)
GU (200)
GW (658)
GY (836)
HK (65)
HM (798)
HN (229)
HR (637)
HT (688)
HU (25)
ID (360)
IE (597)
IL (847)
IM (90)
IN (944)
IO (244)
IQ (512)
IR (27)
IS (32)
IT (159)
JE (979)
JM (67)
JO (489)
JP (874)
KE (979)
KG (703)
KH (707)
KI (940)
KM (348)
KN (206)
KP (931)
KR (561)
KW (540)
KY (581)
KZ (298)
LA (790)
LB (687)
LC (869)
LI (345)
LK (124)
LR (881)
LS (415)
LT (147)
LU (662)
LV (729)
LY (715)
MA (593)
MC (46)
MD (366)
ME (232)
MF (527)
MG (483)
MH (476)
MK (391)
ML (539)
MM (543)
MN (356)
MO (743)
MP (153)
MQ (386)
MR (647)
MS (165)
MT (635)
MU (135)
MV (609)
MW (566)
MX (46)
MY (611)
MZ (749)
NA (242)
NC (508)
NE (964)
NF (798)
NG (641)
NI (130)
NL (998)
NO (299)
NP (456)
NR (84)
NU (673)
NZ (725)
OM (318)
PA (613)
PE (462)
PF (302)
PG (314)
PH (162)
PK (304)
PL (95)
PM (993)
PN (687)
PR (856)
PS (208)
PT (542)
PW (227)
PY (464)
QA (29)
RE (114)
RO (49)
RS (596)
RU (44)
RW (412)
SA (800)
SB (292)
SC (341)
SD (864)
SE (843)
SG (60)
SH (836)
SI (343)
SJ (810)
SK (708)
SL (139)
SM (778)
SN (136)
SO (18)
SR (561)
SS (620)
ST (748)
SV (383)
SX (699)
SY (560)
SZ (30)
TC (386)
TD (282)
TF (966)
TG (200)
TH (904)
TJ (778)
TK (757)
TL (710)
TM (45)
TN (490)
TO (772)
TR (403)
TT (572)
TV (714)
TW (42)
TZ (685)
UA (36)
UG (952)
UM (291)
US (86)
UY (642)
UZ (474)
VA (286)
VC (723)
VE (164)
VG (327)
VI (24)
VN (330)
VU (508)
WF (285)
WS (423)
XK (467)
YE (64)
YT (91)
ZA (755)
ZM (217)
ZW (717)