Adversary in the Middle Attacks - Abusing Trust via Weaponized PDFs

Overview

The SonicWall Capture Labs threat research team has identified an active Adversary-in-the-Middle (AiTM) phishing campaign that leverages PDF documents as the initial delivery vector. This is a technique that bypasses multi-factor authentication entirely by stealing authenticated session cookies, not just credentials.

Conventional Phishing Attack Vs Adversary In the Middle

A conventional phishing attack is essentially deception technique, where typically an attacker builds a fake website that looks identical to a legitimate one, subsequently crafting an email designed to create sense of urgency and send it to victims while making it appear to come from a trusted source. The victim, believing it is real, clicks the link, lands on the fake page, and enters their credentials on the phishing page. Those credentials are instantly captured, and the attacker logs in to the real account, where they can steal sensitive data, commit financial fraud, or misuse it in any other way. However, with the widespread adoption of Multi-Factor Authentication (MFA), obtaining a password alone is often insufficient for attackers to gain unauthorized access.

Adversary in the Middle (AiTM ) Attack is an advanced phishing technique that goes beyond just stealing passwords; it steals authenticated session cookies, allowing attackers to bypass Multi-Factor Authentication (MFA) entirely.  In AiTM, the attacker deploys a proxy server between the victim and the genuine website (in this campaign, the Microsoft login page), allowing the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the legitimate website

Once the session cookie is exfiltrated, it can be loaded into any browser, and consequently, the session resumes without requiring any further authentication . Below Figure 1 shows the complete infection chain of Adversary in the Middle Attacks

Adversary-in-the-Middle (AiTM) attacks overcome the limitation of Conventional Phishing techniques by functioning as a real-time transparent proxy between the victim and the legitimate authentication service. Instead of simply collecting credentials, the AiTM server intercepts and relays all communication between the user and the legitimate website during the login session, effectively bypassing MFA.

Infection Cycle

A PDF document is delivered to the victim’s system via email, which looks legitimate. To seek immediate action from the user action buttons with texts like “View Legal Documents on amcal multi-housing” or “View Document”. Figure 2 shows some of the PDF files using in the ongoing campaign.  

Once the user clicks on it, a malicious URL opens, hoping to see the document. Before any content is rendered, the victim encounters a CAPTCHA challenge, either a slider or a checkbox variant. This serves dual purposes: it appears legitimate, and it prevents automated analysis tools from reaching the phishing payload. Below Figure 3 shows the CAPTCHA validation page using a slider:

In another scenario, a human check is done via a check box, as shown in the figure below: 

Below is the network capture, showing the redirection of the malicious page:

The rendered webpage employs anti-analysis techniques, including debugger traps that halt execution upon inspection, preventing visibility into the page's underlying behavior.

The malicious page presents the victim with a randomly generated code alongside a "Copy Code" button, mimicking a legitimate verification flow, which is similar to what users encounter in real authentication portals. The victim is prompted to copy the code under the pretence that it is required to access or verify the document. This single interaction of copying the code is sufficient to trigger the automatic redirect to the genuine Microsoft login page, meaning the attack progresses with minimal user friction. The code itself serves no functional verification purpose; it is purely a social engineering mechanism designed to make the redirect feel like a natural next step rather than a suspicious event.

In the first scenario, “Review Document” sent by Docusign as shown below: 

In the second scenario, Non-Disclosure Agreement is presented with a 3-step completion process one of which is random code verification, as shown in the image below:

In yet another scenario, a blurred check document is shown in the background to view the check victim needs to complete the verification, as shown in the figure below:

IP fingerprinting:

The page makes a cross-origin request to ipinfo.io via a Cloudflare-hosted intermediary. Since ipinfo[.]io permits browser-based access, the CORS policy is satisfied, and the request succeeds. This mechanism simultaneously performs geolocation, traffic filtering, and legitimacy scoring to evade sandboxed analysis environments.

The attacker operates a reverse proxy that transparently forwards all victim traffic to the real Microsoft endpoint. The victim authenticates normally by submitting credentials, receiving the MFA challenge, and approving the push or entering the OTP, while every packet traverses the attacker's infrastructure.

Although this phase of the attack exhibited multiple characteristics associated with device code phishing, only the AiTM component of the attack chain could be conclusively verified. Then, the real site issues an authenticated session cookie, and the proxy intercepts it. The attacker loads that cookie into their own browser. From the server's perspective, the session is valid, MFA-verified, and active, no credentials or additional factors required. 

SonicWall customers are protected against this threat.

Indicator Of Compromise ( IOCs )