Skip to content

Ongoing AiTM Phishing Campaign Targeting European Companies: A Threat Report by NTT Security

Published:

SamurAI Security Analysts are closely monitoring an active “Adversary-in-the-Middle” (AiTM) Phishing campaign targeting businesses in Germany, Switzerland, Italy, and Norway.  Our experts initially detected and escalated this campaign activity in a customer environment in middle of February 2025. We have so far observed attacks towards victims in the mining, manufacturing and research sectors.

Campaign Overview:

The attack chain follows these steps:

  1. A phishing email contains a link to a survey on customervoice[.]microsoft[.]com.

    2. The survey directs users to an “external document” hosted on the attacker’s infrastructure.

      3. The user encounters a fake Cloudflare Captcha, which they attempt to verify.

        4. This triggers the AiTM Login page, capturing the user’s credentials and tokens.

          Key Targets:

          Global NTT based telemetry indicates Norway, Germany and Switzerland to be targeted and with victims operating within

          • Industries affected include:
            • Mining
            • Research
            • Transport
            • Manufacturing

          Switzerland saw a noticeable spike in victims during February 2025.

          Defending Against AiTM Attacks

          To defend against AiTM phishing, we recommend a two-pronged approach:

          1. Generic Detection: Monitor for anomalous logins and suspicious behavior indicating phishing interactions. the Sigma rule Phishing Proxy is one such example where a generic approach is taken to detect multiple AiTM frameworks. Additionally, custom detection rules, such as the Tycoon 2FA Microsoft Phishing-as-a-Service rule, enhance defense capabilities.
          2. Advanced Fingerprinting: Use a service that automatically fingerprint and track malicious IOC´s. Our Samurai MDR service natively correlate the latest research by our experts and automatically collected IoC´s from our collection framework towards our clients telemetry to detect threats.  

          Sigma Rule on our Github: https://github.com/SamuraiMDR/sigma-rules/blob/main/rules/proxy/microsoft_phish_tycoon_2fa.yml

          Indicators of Compromise (IOCs):

          • documentinvoice-viewer[.]top
          • mydocinvoice-viewer[.]top
          • 154.216.16[.]201
          • 89.117.1[.]17

          Stay protected with NTT Security. We have more than 25 years experience helping businesses, organizations, and government agencies worldwide protect themselves against sophisticated cyber threats.

          References: https://www.joesandbox.com/analysis/1603233/0/html