Don’t bite: How to avoid new phishing techniques 

James Zhou
| 4/11/2023
Don’t bite: How to avoid new phishing techniques

Understanding new phishing techniques can help organizations stay one step ahead of threat actors.  

One of the most common ways threat actors attack is by phishing. Phishing is a social engineering technique that uses email, phone calls, text messages, or social media posts to trick people into giving away or allowing access to their sensitive information. Countermeasures and user awareness training have become more prevalent, but prevention is never 100% effective. Even more, the number of phishing attacks has increased greatly in recent years. Phishing attack techniques are also constantly improving, and the usual countermeasures such as checking URLs or implementing multifactor authentication (MFA) no longer are as effective – and they can even play a part in betraying trust. Understanding these new types of phishing attacks is critical to preventing their success. 

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

BitB phishing technique 

A browser-in-the-browser (BitB) attack is a phishing technique that generates a fake pop-up browser window within a user’s browser to spoof a legitimate domain. This attack takes advantage of the single sign-on (SSO) authentication model, which is a common authentication method for users to log into different websites without additional accounts and passwords. The principle of SSO is simple: A user connects to the service provider's website or application, which in turn opens a pop-up window that requests the user’s SSO credentials. The service provider sends a token containing the login information to the identity provider for validation, and the BitB attack then requests the user’s SSO login credentials.  

Simply put, a BitB attack is just a webpage rendered in the user’s existing browser window. The HTML <iframe> tag specifies an inline frame, which is used to embed another document within the current HTML document, such as displaying external objects, including other webpages, within a webpage. In the BitB attack, the <iframe> tag is used to point to the fake pop-up window webpage hosted on the malicious server.  

Example of BitB attack

Example of BitB attack
Source: Crowe screenshot, March 2023

Since the pop-up window is a custom HTML webpage, it can show any URL using JavaScript, including a legitimate one such as google.com or microsoft.com. Threat actors employ different methods to achieve this goal. For example, this simple HTML for a link shows the correct and genuine URL: <a href="https://accounts.microsoft.com" onclick="return launchWindow();">Microsoft</a>.

The malicious attacker lets the onclick function return false at the end, which continues to show the destination of the link when the user hovers over it. But when the link is clicked, the destination will be ignored, and the user will be led to the malicious pop-up window instead of the legitimate SSO authentication window. In this case, the method of validating the authenticity of the website via checking the URL will instead help the threat actors to gain the user’s trust. 

Fortunately for the user, it is relatively easy to verify whether the authentication pop-up window is fake by trying to drag the pop-up window outside of the webpage area of the browser. If the pop-up window is fake, the pop-up window will stop at the edge since it is not a genuine separate window.  

Evilginx phishing technique 

The Evilginx phishing technique relies on the concept of reverse proxying in a man-in-the-middle (MitM) attack framework to relay traffic back and forth between phished users and the genuine website. The current version of Evilginx is a stand-alone application that can easily implement its own HTTP and DNS server. Evilginx uses multiple phishlet templates, which mimic familiar sites such as Amazon, LinkedIn, Microsoft 365™, Facebook, Twitter, and others. Phishlets are the configuration files that proxy a legitimate website into a phishing website. Once the chosen phishlet is enabled, it will automatically request a free secure sockets layer (SSL) certificate for the new domain and wait for the victim to click on the phishing link. 

MFA is a security measure to protect users from phishing because threat actors cannot retrieve the additional factor from the users. However, MFA only adds difficulties for threat actors to gain access via phishing; it can’t prevent their access. Because Evilginx works as a web reverse proxy server, it can intercept and analyze the network traffic between the user and the real web server and capture session cookies to bypass MFA protection.  

When a user logs into a web resource, the web browser stores session cookies or tokens. These cookies or tokens are used to validate the user's identity by the server when requesting access after login, but they do not contain any login credentials. Since unique session cookies or tokens are also generated when using MFA, malicious attackers can capture and inject them into new web sessions, tricking the server into believing the attacker is the authenticated user without the need for authentication. Additionally, many legitimate web-based applications have long-term or never-expired cookies or tokens (unless the user logs out of the account), and so there is no time restriction for threat actors to launch lateral movements.  

The good news is that while phishing techniques have become more sophisticated, authentication models and standards have also improved over time. WebAuthn is a modern authentication standard that helps mitigate against MitM attacks. It uses hardware-based public key infrastructure authentication to generate unique key pairs that are associated only with each corresponding party or domain name. If a user is tricked into visiting a phishing website, the authenticator device won’t authenticate because it will first need to pass through the fake website, and the domain name will not match. Additionally, Microsoft 365 customers with a sufficient license level can use Microsoft Azure™ Conditional Access to protect against these types of MitM attacks. Since the Evilginx server needs to terminate the SSL session with the user and initiate a new SSL session against the authentication server to avoid SSL errors, it will leave a valid SSL handshake on the attacker’s machine. Azure Conditional Access can perform additional checks on the user’s IP address, domain join membership, or certificate (via a cloud access security broker) to block Evilginx attacks. 

Application consent phishing technique 

An application consent attack is a phishing technique that focuses on obtaining permission authorization rather than authentication from the user. Application consent is the process of users granting authorization to an application to access protected resources on their behalf via open-standard authorization (OAuth) protocol, which provides secure access delegation so that users can grant websites and applications access to their information on other websites and applications without giving out any credentials. Users might believe this function is safe and let down their guard when they are not asked for credentials. However, authorization is equally important as authentication. 

In an attack against Microsoft 365-hosted data, threat actors will first create an Azure-registered application that looks like a legitimate application from a trustworthy publisher. Then they will send an email to trick the end user into granting consent to the malicious application. Once the user grants the access by clicking the "accept" button, the attackers’ application will receive an access token from Azure Active Directory™. The attackers can then use the token to perform a series of actions on behalf of the victim, such as reading files, sending mails, or even writing to files depending on the access granted. 

The most effective way to protect against an application consent attack is to disable the ability for users to grant rights to a third-party application. If users must have the ability to grant rights to third-party applications, a Microsoft PowerShell™ script can be implemented to search for consent to application events in the audit logs. Microsoft offers the Search-UnifiedAuditLog command to help perform this operation. Additionally, using Get-AzureADPSPermissions.ps1 to look for any suspicious changes in permissions can help establish a regular inventory of applications and related permissions in the Microsoft 365 environment. Alternatively, if users have a sufficient license level, then relevant OAuth policies can be created using Microsoft Cloud App Security, which will scan for and detect any misleading app name, publisher name, or malicious consent. 

Phishing techniques and AI 

As technology evolves, threat actors are also using artificial intelligence (AI) and machine learning techniques to conduct phishing or cyberattacks. Phishing as a service (PhaaS) and ransomware as a service (RaaS) already exist in the wild, and they provide paid-tool sets for threat actors that lower the technical skill requirements to perform malicious activities. The emergence of AI might further eliminate such technical skill requirements and greatly reduce the cost of performing criminal acts.  

One fairly new way phishing techniques are leaning into AI is with Chat Generative Pretrained Transformer (ChatGPT), an AI chatbot system that OpenAI released in November 2022 to show and test what a very large, powerful AI system can accomplish. It has since become an increasingly popular topic across all industries. Despite ChatGPT’s limitations, it has demonstrated the potential threat AI could pose. In a sense, ChatGPT is a genie released from a jar, but a double-edged sword depending on who’s using it. 

For example, ChatGPT has the power to generate text in any style and can be used to write emails that are almost indistinguishable from those written by humans. It is constantly learning and evolving, so by correctly feeding in a target set of business emails as training data, attackers can train an AI chatbot to write customized, persuasive emails that easily mimic a talking style and business format. Not only can it generate desired text, but it can also generate malicious code and scripts in any format that can be attached to an email and then compromise the victim’s system or retrieve credentials once downloaded or opened.  

Example 1 of ChatGPT code-generation ability

Example 1 of ChatGPT code-generation ability
Source: Crowe screenshot, March 2023¹

Example 2 of ChatGPT code-generation ability

Example 2 of ChatGPT code-generation ability
Source: Crowe screenshot, March 2023²

Staying ahead of threat actors  

Becoming aware of and understanding new phishing techniques such as BitB, Evilginx, application consent, and AI-based attacks – as well as their countermeasures – is crucial for users and organizations to stay ahead of threat actors. By taking proactive steps to build security awareness and improve their cyber resilience, users and organizations can anticipate, mitigate, and withstand the risks that accompany interacting with websites, sending and receiving email, and exploring social media.  


The author generated this text in part with GPT-3, OpenAI’s large-scale language-generation model. Upon generating draft language, the author reviewed, edited, and revised the language to their own liking and takes ultimate responsibility for the content of this publication.

2 Ibid.

Microsoft, Active Directory, Azure, Microsoft 365, and PowerShell are trademarks of the Microsoft group of companies.