top of page

Ongoing AiTM Phishing Campaign Targeting European Companies: A Threat Report by NTT Security

  • danielmiddlemass0
  • Jul 15, 2025
  • 2 min read

Updated: Oct 23, 2025

SamurAI SOC analyst

SamurAI Security Analysts are closely monitoring an active “Adversary-in-the-Middle” (AiTM) Phishing campaign targeting businesses in Germany, Switzerland, Italy, and Norway.  Our experts initially detected and escalated this campaign activity in a customer environment in middle of February 2025. We have so far observed attacks towards victims in the mining, manufacturing and research sectors.


Campaign Overview:

The attack chain follows these steps:


  1. A phishing email contains a link to a survey on customervoice[.]microsoft[.]com.

Email with MGR Rechtsanwälte unterzeichneten Vertrag. ShareFile-Anhänge, GETEILTES DOKUMENT ANZEIGEN.

2. The survey directs users to an “external document” hosted on the attacker’s infrastructure.

News PDF Dokument erhalten, Employees on Donnerstag, 05. Januar 2023. Document risk queries survey.

3. The user encounters a fake Cloudflare Captcha, which they attempt to verify.

Verify you are human button with Cloudflare logo for website security check.

4. This triggers the AiTM Login page, capturing the user’s credentials and tokens.

Microsoft sign-in page with email, phone, or Skype input and blue Next button.

Key Targets:

Global NTT based telemetry indicates Norway, Germany and Switzerland to be targeted and with victims operating within


  • Industries affected include:

    • Mining

    • Research

    • Transport

    • Manufacturing


Switzerland saw a noticeable spike in victims during February 2025.


Defending Against AiTM Attacks


To defend against AiTM phishing, we recommend a two-pronged approach:


Generic Detection: Monitor for anomalous logins and suspicious behavior indicating phishing interactions. the Sigma rule Phishing Proxy is one such example where a generic approach is taken to detect multiple AiTM frameworks. Additionally, custom detection rules, such as the Tycoon 2FA Microsoft Phishing-as-a-Service rule, enhance defense capabilities.


Advanced Fingerprinting: Use a service that automatically fingerprint and track malicious IOC´s. Our Samurai MDR service natively correlate the latest research by our experts and automatically collected IoC´s from our collection framework towards our clients telemetry to detect threats.  



Indicators of Compromise (IOCs):

  • documentinvoice-viewer[.]top

  • mydocinvoice-viewer[.]top

  • 154.216.16[.]201

  • 89.117.1[.]17


Stay protected with NTT Security. We have more than 25 years experience helping businesses, organizations, and government agencies worldwide protect themselves against sophisticated cyber threats.




 
 
bottom of page