Zscaler Researchers Warn of AITM Attack on Google G-suite Users

AiTM attack happens when an adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions

According to researchers at Zscaler Sudeep Singh and Jagadeeswar Ramanukolanu, “This campaign specifically targeted chief executives and other senior members of various organizations that use Google Workspace,” their findings were published in a report this month.

The low-volume Gmail phishing campaign also involves social engineering using CEOs’ compromised emails. Additionally, the attacks make use of a number of compromised domains as intermediate URL redirectors to direct victims to the final landing page.

According to reports, the AiTM phishing attacks started in mid-July 2022 and used a similar strategy to a social engineering campaign to steal users’ Microsoft login information and even get around multi-factor authentication.

multi-factor authentication Google G-Suite Attack

Attack chains involve sending potential targets password expiry emails with malicious embedded links that purport to “extend your access.” Tapping on these links directs the recipient to Google Ads and Snapchat redirect pages, which load the URL of the phishing page.

A second variation of the attacks, in addition to open redirect abuse, makes use of infected websites that host a Base64-encoded version of the next-stage redirector and the victim’s email address in the URL. The JavaScript code in this intermediate redirector directs users to a Gmail phishing page.

The redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was updated to direct users to a Gmail AiTM phishing page, linking the two campaigns to the same threat actor, according to one instance that Zscaler has highlighted.

The researchers discovered instances in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure and infrastructure overlap.

The results show that multi-factor authentication security measures are insufficient to provide defenses against sophisticated phishing attacks. As a result, users must carefully review URLs before entering their credentials and refrain from opening attachments or clicking on links in emails that are sent from unreliable or unknown sources.

13 thoughts on “Zscaler Researchers Warn of AITM Attack on Google G-suite Users”

  1. I may need your help. I’ve been doing research on gate io recently, and I’ve tried a lot of different things. Later, I read your article, and I think your way of writing has given me some innovative ideas, thank you very much.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top