2025-12-13 –, Track 3
Phishing-as-a-Service combined with Adversary in the Middle (AiTM) grew by 146% in a year and now drives reported multi-billion losses and tens of thousands of business email compromises. Subscription kits for Microsoft 365 cost as little as £300 a month allowing adversaries to steal full sessions, not just passwords, easily bypassing MFA. This talk shows how the kits work, how fast operators stand them up, and what the infrastructure looks like, including holes that allow early detection. Using two recent case studies, FlowerStorm(Storm-1167) and RaccoonO365, we triangulate leaked artefacts, takedown data, and open infrastructure signals against the current AiTM threat landscape to estimate global impact. Our analysis points to millions of stolen sessions a year, suggesting the impact is far greater than reported. We finish with a clear detection map of the AiTM chain and the telemetry required to analyse/detect at each stage.
Part 1: Introduction
Baseline of Microsoft and FBI IC3 reporting, define AiTM and PhaaS, introduce data sources (leaked kits, takedown artefacts, open infrastructure signals, anonymised telemetry).
Part 2: AiTM Mechanics
Reverse-proxy vs synchronous relay with real infrastructure examples, why each step looks legitimate, side-by-side requests vs page updates.
Part 3: PhaaS Ecosystem
How kits are bought and stood up, screenshots of bots and community pages, buyer-to-portal flow from leaked code, Storm-1167 model.
Part 4: Impact Pathways
What happens after success: business email compromise, financial fraud, lateral movement, dwell time, and quiet data theft signals.
Part 5: Case Studies
FlowerStorm and RaccoonO365, use actor share and observed compromised user counts to infer global volume.
Part 6: Detection Gaps and Strategies
Map the kill chain from resource development to initial sign-in, detail detections and gaps with licence and effort expectations, note how PhaaS is evolving.
Attendees will leave with
A clearer understanding of AiTM and PhaaS, a simple method to estimate global impact from leaks and takedowns, a telemetry-to-sign-in detection map with concrete log points, redacted artefacts they can recognise, and case-study insights to compare against their own tenant.
Joshua Rawles is a Senior Threat Analyst at Sophos MDR focused on Microsoft 365 and cloud threats. He combines DFIR expertise with attacker-infrastructure tracking to hunt adversaries and understand how they operate. His current focus is on SaaS, investigating how attackers abuse identities and cloud services and using that insight to strengthen defenses. Previously, Joshua worked in incident response with the Royal Australian Navy. Outside work he boulders, writes heavy metal, and gets out into nature.