Microsoft shares information on threat actor supporting high-volume AiTM phishing campaigns

Microsoft Threat Intelligence team has identified a threat actor group responsible for the development, support, and advertising of several AiTM phishing kits.

In a blog post, Microsoft shared information about the threat actor group, the tool they offer, and details on related AiTM phishing campaigns.

According to Microsoft security researchers, DEV-1101 is an actor that offers an open-source kit that automates the setting up and launching of phishing activity and provides support services to attackers. The group began offering their AiTM phishing kit in 2022 through a Telegram channel and an advertisement in exploit[.]in, a popular cybercrime forum, and since then has made several enhancements to their kit.

In June 2022, DEV-1101 announced that the AiTM kit would be open source with a $100 monthly licensing fee and in September 2022, they added the ability to manage servers running their kit via a Telegram bot rather than requiring the use of cPanel.

Due to the swift expansion of their user base between July and December 2022, the threat actor group was able to raise their prices several times. As of this writing, they offer their tool for $300, with VIP licenses at $1,000.

As observed by Microsoft, millions of phishing emails were comprised per day using the tool provided by DEV-1101. DEV-0928, an actor tracked by Microsoft since September 2022, is one of the group's more prominent patrons, which was observed launching a phishing campaign involving over one million emails.

"The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime," Microsoft said.

To mitigate the AiTM phishing attacks, Microsoft has shared best practices, which include MFA implementation, investment in advanced anti-phishing solutions, continuous monitoring of suspicious or anomalous activities. More details can be found here.