AiTM phishing attacks now target healthcare cloud platforms, bypassing MFA by intercepting session cookies. Hospital IT teams must adopt phishing resistant MFA, monitor for anomalous sessions, and secure medical device cloud integrations to prevent HIPAA breaches and operational disruption.
A new adversary in the middle (AiTM) phishing campaign is bypassing multi factor authentication (MFA) by intercepting session cookies from enterprise cloud services commonly used in healthcare, including SharePoint, HubSpot, and Google Workspace. This poses a direct threat to patient data, electronic health records (EHR), and medical device management systems.
How the Attack Works
Attackers deploy AiTM phishing pages that intercept both credentials and session cookies by placing a proxy between the target and the legitimate service. When a healthcare employee authenticates using their real password and MFA code (such as a texted one time password or authenticator app), the attacker captures the session token in real time. This token can then be used to access sensitive systems without re authentication. No specific CVEs are associated with this attack pattern, as it exploits the core authentication flow rather than a software vulnerability. See related CVE entries at cve.org for other MFA bypass techniques.
Impact and Scope in Healthcare
This campaign specifically targets cloud platforms used for clinical collaboration, patient scheduling, and data storage. Once attackers obtain a valid session cookie, they can gain access to patient emails, medical documents, lab results, and even third party vendor portals used for medical device support. For hospitals relying on these platforms for daily operations, an AiTM breach could lead to HIPAA violations, ransomware deployment, or disruption of critical care workflows. The risk is elevated for healthcare CISOs because many legacy medical devices and EHR systems integrate with these platforms via single sign on (SSO) or OAuth, making them vulnerable to session hijacking.
Mitigation Recommendations for Healthcare Organizations
Hospital IT teams should enforce phishing resistant MFA methods, such as FIDO2 hardware security keys or certificate based authentication, especially for accounts with access to protected health information (PHI). Security teams should monitor for unusual login locations, device fingerprints, and anomalous session durations. For medical device security professionals, ensure that any cloud hosted management interfaces (e.g., for infusion pumps or imaging systems) use conditional access policies and session timeouts. User awareness training should emphasize recognizing fake login pages, with scenarios specific to hospital portals and vendor login pages. Additionally, healthcare CISOs should review third party access controls and limit session cookie lifetimes for cloud applications.
Source: Adapted from Cyber Security News
Source: Cyber Security News
