---
title: "Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants | DuoCircle"
description: "email security · Microsoft Discovers Banking Cyberattacks On Financial Giants For obvious reasons."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/"
---

Quick Answer

Microsoft tracked Storm-1167, an adversary-in-the-middle and BEC campaign that originated from a compromised vendor and spread across multiple banks and financial institutions. The novel pattern: instead of the standard reverse-proxy AitM that exfiltrates credentials and TOTPs in real time, Storm-1167 uses an indirect proxy. Victims hit a cloud-hosted spoofed Microsoft sign-in page that pulls resources from an attacker-controlled server, which then initiates an authentication session against the real provider using the harvested credentials and session cookies. The replay attack adds a new SMS-based 2FA method on the compromised account so attackers retain access without re-prompting the user. Once inside the inbox, the attacker reads sensitive emails, sends BEC payments instructions, and launched a 16,000-message phishing wave to internal and external contacts. Tactics: residential-IP proxying for geo-localization, opening and deleting incoming replies to hide the activity, and chained AitM against the recipients. Defenses: phishing-resistant MFA (FIDO2), Conditional Access enforcing managed devices, alerts on new MFA registration, and review of mailbox forwarding rules.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdata-privacy%2Fmicrosoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Microsoft%20Uncovers%20Banking%20AitM%20Phishing%20and%20BEC%20Attacks%20Targeting%20Financial%20Giants&url=undefined%2Fblog%2Fdata-privacy%2Fmicrosoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdata-privacy%2Fmicrosoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdata-privacy%2Fmicrosoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants%2F&title=Microsoft%20Uncovers%20Banking%20AitM%20Phishing%20and%20BEC%20Attacks%20Targeting%20Financial%20Giants "Share on Reddit") [ ](mailto:?subject=Microsoft%20Uncovers%20Banking%20AitM%20Phishing%20and%20BEC%20Attacks%20Targeting%20Financial%20Giants&body=Check out this article: undefined%2Fblog%2Fdata-privacy%2Fmicrosoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants%2F "Share via Email") 

![AitM Phishing](https://media.mailhop.org/duocircle/images/2023/06/email-smtp-service-7577.jpg) 

_For obvious reasons, banking and financial institutions have always been easy targets for [malicious actors](/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/). Microsoft has recently uncovered_ _banking AitM phishing_ _and_ _BEC attacks_ _to expose the underbelly of the cyber threat landscape affecting the **financial industry**._

Threat actors are after money, and where better to get it than from banks and financial institutions? Banks have **always been vulnerable** to [phishing attacks](/content/phishing-prevention/phishing-attacks) and other forms of cyber threats, with the primary objective of the adversaries being to steal critical information and financial assets.

Microsoft recently revealed a [massive cyber threat operation](https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/) involving multi-stage adversary-in-the-middle ([AitM](https://www.hypr.com/security-encyclopedia/adversary-in-the-middle#:~:text=An%20adversary%2Din%2Dthe%2D,going%20to%20or%20through%20the)) phishing and [BEC](https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20%28BEC%29%20is,stealing%20money%20or%20critical%20information.) (business email compromise) attacks.

[![cyber threat](https://media.mailhop.org/duocircle/images/2023/06/email-smtp-service-7578.jpg)](https://media.mailhop.org/duocircle/images/2023/06/email-smtp-service-7578.jpg)

## Discovery of the New AiTM Attack

In a recent report, Microsoft revealed that the AitM cyberattack **originated from** a compromised service vendor and ballooned into a series of AitM attacks and subsequent BEC attempts spanning **multiple banks** and financial organizations.

Microsoft has tracked the attack and named it **Storm-1167** while exposing the cyber attacker group’s use of an indirect proxy to launch it successfully and affect banks and [financial institutions](https://www.prnewswire.com/news-releases/financial-institutions-are-suffering-from-increasingly-sophisticated-cyber-attacks-which-require-a-defensive-paradigm-shift-according-to-the-cyber-bank-heists-report-released-by-contrast-security-301739864.html).

The **sophistication** of the AitM attacks is evident from the innovative use of the indirect proxy that enables the malicious actors to maneuver the **phishing pages** to their intended targets and organize session cookie theft.

## Modus Operandi of the AiTM Cyberattack

This attack uses a novel modus operandi different from the standard AitM campaigns, where the **decoy pages** act as a reverse proxy to exfiltrate personal credentials and **time-based OTPs** that victims enter to access their accounts.

However, Microsoft observed similarities with regular banking phishing attacks where the victims were presented with website pages mimicking the **login page** of the targeted application hosted on a [cloud service](https://cybernews.com/news/amazon-cloud-services-back-up-after-big-outage-hits-thousands-of-users/).

Nevertheless, the purported sign-in page contained resources from a maliciously controlled server. It initiated an **authentication session** using the victim’s credentials with the target application’s authentication provider.

The attack originates with the usual [phishing email](/content/phishing-prevention/phishing-email) directing to a **malicious link** that redirects the victim into accessing a spoofed Microsoft sign-in page that steals the credentials and **TOTPs** the users enter to access their account.

It further sets up a replay attack where the stolen credentials and [session cookies](https://securiti.ai/blog/session-cookies/) are used to impersonate the user and infiltrate their email inbox. Subsequently, it abuses access to open sensitive emails and orchestrates BEC attacks. The attack becomes more sophisticated by adding a new **SMS-based 2FA** method to the target account, allowing it to sign in using the stolen credentials without attracting any suspicion.

[![phishing email](https://media.mailhop.org/duocircle/images/2023/06/sendgrid-alternative-7579.jpg)](https://media.mailhop.org/duocircle/images/2023/06/sendgrid-alternative-7579.jpg)

## The Scope of the AiTM Attack

Microsoft observed that the malicious actor initiated a mass [spam campaign](https://securityintelligence.com/news/spam-campaigns-using-iqy-files-infect-japanese-users-with-bebloh-and-ursnif-malware/) in this incident to send over 16,000 emails to the compromised target’s contacts within and outside the organization.

The sophisticated attack declares its **intent of financial fraud** by displaying the complexity of banking AitM phishing attacks and **BEC threats** that can abuse the trusted relationship vendors, suppliers, and partner organizations share.

## Tactics Employed by the AiTM Attack

Microsoft warned a month ago of a surge in BEC attacks. It exposed malicious actors’ evolving tactics, including using platforms like [BulletProftLink](https://bulletproftlink.io/) to create massive nefarious **email campaigns**. 

This attack differed from others because the adversary exhibited good care to **minimize detection** and establish persistence by opening and responding to incoming emails and deleting them from the inbox afterward.

Subsequently, a second AitM attack was initiated to target the recipients of the phishing emails to harvest their credentials and launch more [phishing campaigns](https://www.helpnetsecurity.com/2023/06/01/advanced-detection-evasion-techniques/) using the email inbox of one such compromised user account.

_Another unique tactic includes using **residential IP addresses** to make these malicious attacks appear locally generated._

## Final Words

Due to their **innovative tactics**, the new AiTM/BEC attacks are more pernicious than one thinks. The attackers have localized addresses to support their malicious activities.

Besides compromising usernames and passwords, malicious actors **hide their movements** and circumvent challenging flags and exposed [gateways](/spam-filtering/a-guide-on-email-gateway-what-it-is-and-the-importance-of-a-secure-email-gateway/) to launch more attacks. Hence, financial organizations must be more vigilant in protecting their valuable information assets using the right strategies and [cybersecurity](/) safeguards.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Privacy 5m  Are MortalKombat Ransomware and Tengyun Snake Attacks Emerging Email Threats?  Jul 20, 2023 ](/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/)[  Privacy 6m  Hacker Taunts TikTok After Stealing Over 2 Billion Records in a Massive Data Breach  Sep 19, 2022 ](/blog/data-privacy/hacker-taunts-tiktok-after-stealing-over-2-billion-records-in-a-massive-data-breach/)[  Privacy 7m  IntelBroker Threat Actors Steal Sensitive Data of 11 Million Weee Customers  Feb 20, 2023 ](/blog/data-privacy/intelbroker-threat-actors-steal-sensitive-data-of-11-million-weee-customers/)[  Privacy 4m  Malicious Actors Use Azure Serial Console to Gain Unauthorized Access to Microsoft VMs  May 25, 2023 ](/blog/data-privacy/malicious-actors-use-azure-serial-console-to-gain-unauthorized-access-to-microsoft-vms/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants","description":"email security · Microsoft Discovers Banking Cyberattacks On Financial Giants For obvious reasons.","url":"https://www.duocircle.com/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/","datePublished":"2023-06-19T18:44:56.000Z","dateModified":"2025-05-29T12:00:01.000Z","dateCreated":"2023-06-19T18:44:56.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/"},"articleSection":"data-privacy","keywords":"News, Security, Updates","wordCount":677,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/06/email-smtp-service-7577.jpg","caption":"AitM Phishing","width":700,"height":450},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Privacy"},{"@type":"ListItem","position":3,"name":"Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants","item":"https://www.duocircle.com/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Privacy","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants","item":"https://www.duocircle.com/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants","description":"email security · Microsoft Discovers Banking Cyberattacks On Financial Giants For obvious reasons.","url":"https://www.duocircle.com/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/","datePublished":"2023-06-19T18:44:56.000Z","dateModified":"2025-05-29T12:00:01.000Z","dateCreated":"2023-06-19T18:44:56.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/data-privacy/microsoft-uncovers-banking-aitm-phishing-and-bec-attacks-targeting-financial-giants/"},"articleSection":"data-privacy","keywords":"News, Security, Updates","wordCount":677,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/06/email-smtp-service-7577.jpg","caption":"AitM Phishing","width":700,"height":450},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```