jeffreyappel.nl
Open in
urlscan Pro
139.162.239.114
Public Scan
URL:
https://jeffreyappel.nl/protect-against-aitm-mfa-phishing-attacks-using-microsoft-technology/
Submission: On May 22 via manual from CH — Scanned from NL
Submission: On May 22 via manual from CH — Scanned from NL
Form analysis 4 forms found in the DOM
GET https://jeffreyappel.nl/
<form role="search" method="get" class="header-mobile-form" action="https://jeffreyappel.nl/">
<input class="header-mobile-form-input" type="text" placeholder="Search here.." value="" name="s" required="">
<button type="submit" class="header-mobile-form-submit">
<i class="icon-magnifier"></i>
</button>
</form>GET https://jeffreyappel.nl/
<form method="get" class="sh-header-search-form" action="https://jeffreyappel.nl/">
<input type="text" value="" name="s" class="sh-header-search-side-input" placeholder="Enter a keyword to search...">
<div class="sh-header-search-side-close">
<i class="ti-close"></i>
</div>
<div class="sh-header-search-side-icon">
<i class="ti-search"></i>
</div>
</form>POST https://jeffreyappel.nl/wp-comments-post.php
<form action="https://jeffreyappel.nl/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate=""><label>Your comment <span>*</span></label>
<p class="comment-form-comment">
<textarea id="comment" name="comment" cols="45" rows="8" required=""></textarea>
</p>
<div class="sh-comment-form-column"><label>Name <span>*</span></label>
<p class="comment-form-author">
<input id="author" name="author" type="text" value="" required="">
</p>
</div>
<div class="sh-comment-form-column"><label>Email <span>*</span></label>
<p class="comment-form-email">
<input id="email" name="email" type="text" value="" required="">
</p>
</div>
<div class="sh-comment-form-column"><label>Website <span>*</span></label>
<p class="comment-form-url">
<input id="url" name="url" type="text" value="">
</p>
</div>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<div class="sh-comments-required-notice">Required fields are marked <span>*</span></div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Send a comment"> <input type="hidden" name="comment_post_ID" value="5066" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="11c30a7e16"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1684745501096">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Name: loginform — POST https://jeffreyappel.nl/wp-login.php
<form name="loginform" id="loginform" action="https://jeffreyappel.nl/wp-login.php" method="post">
<p class="login-username">
<label for="user_login">Username or Email Address</label>
<input type="text" name="log" id="user_login" autocomplete="username" class="input" value="" size="20" required="required">
</p>
<p class="login-password">
<label for="user_pass">Password</label>
<input type="password" name="pwd" id="user_pass" autocomplete="current-password" class="input" value="" size="20" required="required">
</p><a href="/wp-login.php?action=lostpassword" class="login-forgot-password">Forgot Password</a>
<p class="login-remember"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever"> Remember Me</label></p>
<p class="login-submit">
<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary" value="Log In">
<input type="hidden" name="redirect_to" value="https://jeffreyappel.nl/protect-against-aitm-mfa-phishing-attacks-using-microsoft-technology/">
</p>
</form>Text Content
LAATSTE NIEUWS
BLOCK GTLD (.ZIP)/ FQDN DOMAINS WITH WINDOWS FIREWALL AND DEFENDER FOR ENDPOINT
2
HOW WORKS MICROSOFT DEFENDER THREAT INTELLIGENCE / DEFENDER TI – AND WHAT IS THE
DIFFERENCE BETWEEN FREE AND PAID
0
BLOCK C2 COMMUNICATION WITH DEFENDER FOR ENDPOINT
0
MICROSOFT DEFENDER FOR CLOUD– THE ULTIMATE BLOG SERIES (INTRO) – P0
1
BLOCK “VULNERABLE/UNWANTED” APPLICATIONS WITH DEFENDER FOR ENDPOINT AND
VULNERABILITY MANAGEMENT
0
MICROSOFT DEFENDER SMARTSCREEN – HOW TO USE SMARTSCREEN AND PHISHING PROTECTION
2
This website uses cookies to provide an optimal user experience.
Got it!
*
* 0
* Home
* Security
* Modern Workplace
* Products
* Azure AD
* Azure Arc
* Azure AD Identity Protection
* Azure Defender
* Defender for Endpoint
* Defender for Endpoint – Linux
* Defender for Endpoint – iOS
* Defender for Cloud
* Defender for Cloud Apps
* Defender EASM
* Defender for Identity
* Defender for IoT (Coming soon)
* Defender for Office
* Defender TI
* Microsoft 365 Compliance
* Microsoft Sentinel
* Intune
* Blog Series
* MDE series
* Contact
* Content Request
*
*
* 0
* Login to add posts to your read later list
*
* Home
* Security
* Modern Workplace
* Products
* Azure AD
* Azure Arc
* Azure AD Identity Protection
* Azure Defender
* Defender for Endpoint
* Defender for Endpoint – Linux
* Defender for Endpoint – iOS
* Defender for Cloud
* Defender for Cloud Apps
* Defender EASM
* Defender for Identity
* Defender for IoT (Coming soon)
* Defender for Office
* Defender TI
* Microsoft 365 Compliance
* Microsoft Sentinel
* Intune
* Blog Series
* MDE series
* Contact
* Content Request
*
*
* 0
* Login to add posts to your read later list
BLOG POST
Home > Security > Protect against AiTM/ MFA phishing attacks using Microsoft
technology
Security
PROTECT AGAINST AITM/ MFA PHISHING ATTACKS USING MICROSOFT TECHNOLOGY
Jeffrey, August 8, 2022 0 9 min read
In the last couple of weeks, many researchers warns of a new large-scale
phishing campaign that is using the adversary-in-the-middle (AiTM) techniques to
bypass multi-factor authentication. Following Zscaler researchers Sudeep Singh
and Jangadeeswar Ramanukolanu the campaign is designed to reach end users in
enterprises focussing on Microsoft services. Last month Microsoft Threat
Intelligence Center (MSTIC) shared more information about this new method and
upcoming phishing method.
Recommended read:
* Microsoft: From cookie theft to BEC: Attackers use AiTM phishing sites
apointsry point to further financial fraud
* Zscaler Research: Large-Scale AiTM Attack targeting enterprise users of
Microsoft email services
Blog information:
Blog is written based on my own opinion.
Blog published: August 8, 2022
Blog latest updated: February 4, 2023
WHAT IS AITM PHISHING?
Adversary-in-the-middle (AiTM) phishing is not new; and available for some
years. Phishing is still the most common type of attack. MFA provides an added
security layer against credential theft. Unfortunately, attackers are also
finding new ways to bypass the additional security layer (MFA, 2FA).
> Based on our threat data, the AiTM phishing campaign attempted to target more
> than 10,000 organizations since September 2021.
>
> @Microsoft MSTIC
Traditional credential phishing sites collect the user’s credentials and never
complete the authentication process. When MFA is enabled for the user it
prevents the attacker from logging into the account with the stolen credentials.
Adversary-in-the-middle (AiTM) phishing attacks are used for bypassing
multi-factor. AiTM attacks complete the authentication process and captured the
token. Currently, there are three main open-source AiTM phishing kits available
that are widely known:
* Evilginx2
* Muraena
* Modlishka
AiTM works as a proxy between the victim and target site. Every modern web
service implements a session with a user after successful authentication so that
re-authentication is not needed for every new page. The session functionality is
part of the session cookie provided by the authentication services. The web
server with the AiTM phishing kit proxies HTTP packets, based on this technique
the website is identical to the original website. Only the URL is the only
visible difference between the phishing site and the actual Microsoft sign-in
site.
The below image explains the AiTM phishing process (credits: Microsoft)
--------------------------------------------------------------------------------
EVILGINX2
NOTE: Configuration of Evilginx2 is not part of this blog post. Multiple online
resources described the installation/ configuration of Evilginx2. The official
projects site gives more information and details.
Evilginx2 is one of the most popular AiTM phishing kits. Evilginx2 does not
serve its own HTML look-alike pages like in traditional phishing attacks.
Evilginx2 is a man-in-the-middle attack framework used for phishing login
credentials and session cookies. Part of Evilginx2 is a pre-created HTTP and DNS
server, which makes it extremely easy to configure – the SSL certificate is part
of Lets Encrypt, and is automatically generated.
DEMO CONFIGURATION
For the Evilginx2 demo, the environment is configured based on the following
information;
* IP: 20.25.240.232
* Domain: logincyberdemo.com
* Server location: Nort Central US
* Server OS: Linux Debian 11
Evilginx2 is configured based on a blacklist to avoid automatic crawling and
blocking. The Office 365 phishlet redirects to the official portal.office.com
URL. To avoid being blacklisted the phishing site can be visited using the
authentication key. Cmdlet lures get-url <id> can be used to view the complete
URL path. cmdlet Lures shows all enabled phishlets and the ID.
After configuration the phishlet is active on the domain + path;
https://login.logincyberdemo.com/acBAlkzp
Sign-in page
The sign-in page captures the default login.microsoftonline.com styling. When
signing in with customer credentials the customer tenant branding is applied –
which makes the awareness around customer branding useless.
Default Microsoft:
Tenant branded sign-in:
CAPTURE SESSION TOKENS
Capturing MFA-protected sessions is quite easy. After entering the phishing URL,
the user is provided with the Office 365 Sign-in screen. When the username is
entered the company branding is directly collected from AzureAD. After providing
the password and MFA the session token and credentials are captured.
Cmdlet Sessions<Id> shows the additional information and token.
--------------------------------------------------------------------------------
IMPORT STOLEN TOKEN
Token replay is possible using browsers or applications. For example, use the
plugin; Cookie editor for importing the session token.
--------------------------------------------------------------------------------
PROTECT AGAINST AITM PHISHING
With the growing enablement/adoption of MFA it is expected that AiTM phishing is
growing in the upcoming next years (attackers using new techniques). Protecting
against AiTM phishing is important.
Protecting is possible based on various configurations:
* Phish-resistant MFA solutions (FIDO/ Certificate based authentication)
* Protect attacks using Conditional Access
* Monitoring/ protecting using Microsoft 365 Defender/ Azure AD Identity
Protection
* Build-in alerting rules
Let’s start with an overview based on phish-resistant solutions, Protected
2FA/MFA methods, protection part of Conditional Access, and Microsoft security
products/ features. Which feature/setting is protecting against AiTM?
= Protected against AiTM = Not protected against AiTM
PHISH-RESISTANT MFA SOLUTIONS (FIDO/ CERTIFICATE BASED AUTHENTICATION)
Microsoft offers a large set of options for using as a primary authentication
method; currently, the following methods are available:
* FIDO2 security keys
* Windows Hello for Business
* Certificate-based authentication
* Passwordless phone sign-in
* Phone number and SMS
* Username and password
Conditional Access can be used to protect the accounts more in-depth. Without
additional Conditional Access protection the following methods are protected/
not protected against AiTM:
MethodProtected against AiTMFIDO2 security keysWindows Hello for
BusinessCertificate-based authenticationPasswordless phone sign-inPhone number
and SMS
Username and password
Only FIDO2, Windows Hello for Business, and Certificate-based authentication are
protected against AiTM phishing. Username and password can be enriched with
additional Conditional Access protection.
PROTECTED 2FA/MFA METHODS
When checking the different 2FA/MFA methods; the following is protected against
AiTM attacks on top of the non-passwordless methods.
= Protected against AiTM = Not protected against AiTM
MethodProtected against AiTMSMSPhone-callMicrosoft Authentication AppMicrosoft
Authentication App + Number matchingMicrosoft Authentication App + Additional
contextMicrosoft Authentication App + Number matching + additional context
PROTECTED CONDITIONAL ACCESS AND ADDITIONAL CONTROLS
The answer is simple; there is no protection with only 2FA or MFA; only when
enriched with additional conditional access there is protection. The following
conditional access controls give protection against AiTM.
= Protected against AiTM = Not protected against AiTM
MethodProtected against AiTMRequire device to be marked as compliantRequire
device to be marked as Hybrid Azure AD joined deviceConditional Access Session
Controls ( limit time window)Conditional Access Trusted LocationsContinuous
Access evaluation CAE ( only revokes access in real time when changes in user
conditions
ADDITIONAL PROTECTION
AzureAD and additional protecting services part of Microsoft Security give no
direct protection against AiTM. Since Evilginx2 Custom Tenant branding is
supported.
MethodProtected against AiTMCustom Tenant brandingAzure AD Identity Protection
(only alerting)Microsoft Defender for Endpoint Microsoft Defender for Cloud
Apps (only alerting)Microsoft Defender for Office 365 (only removing emails
including phishing links)
REVOKE SESSION AND MFA REGISTRATION
A session can be revoked for all active sessions via portal.azure.com. When the
session is revoked the attacker can no longer use the already stolen phished
cookie. Always important to check newly added authentication options and change
the password directly.
Revoke sessions removes the current authentication; it is NOT prevention after
an attempt. Always perform more steps during the analysis. What if the attackers
registered other MFA methods?
The attacker can easily go to aka.ms/mysecurityinfo and register a FIDO2
security key as a new method. The next time the attacker can use the FIDO2
security key which is counted as a strong method. Always check of new
authentication factors are registered for the specific user.
--------------------------------------------------------------------------------
PASSWORDLESS PHONE SIGN-IN
Passwordless phone sign-in sounds safe right? Evilginx2 supports capturing
tokens from passwordless configured users. Passwordless phone sign-in is not
protected against AiTM. Evilginx is not capturing the password – the token is
captured and can be used easily.
Result in Evilginx; password empty – token visible.
--------------------------------------------------------------------------------
PREVENTION USING CONDITIONAL ACCESS
As already explained above, Conditional Access blocks the AiTM phishing attempt
(plain text password still captured)
The following Conditional Access policies are important and are successful in
blocking/ preventing AiTM. Those access controls rely on additional telemetry,
which is not available during the proxy sign-in.
Access Controls
* Require device to be marked as compliant
* Require device to be marked as Hybrid Azure AD joined device
Condition
* Conditional Access Trusted Locations
Result using Conditional Access – Compliant device or AzureAD joined device
Video shows the behavior when using Conditional Access compliant device or
AzureAD joined.
The password is still captured (only no additional session/MFA tokens are
captured ). Tip; don’t limit conditional access based on specific apps.
Result using Conditional Access – IP location filter
The video shows the behavior when using the Conditional Access IP block. Block
access except for trusted IP locations.
The password is still captured (only no additional session/MFA tokens are
captured ). Tip; don’t limit conditional access based on specific apps.
--------------------------------------------------------------------------------
PROTECTED USING (PIM) PRIVILEGED IDENTITY MANAGEMENT?
Common question; Privileged Identity Management (PIM) is enabled with additional
MFA for each admin role configured; is this behavior protected by MFA? The
answer is; NO
After using the stolen token the MFA is already included – which gives no extra
MFA verification for Global Admin roles or other privileged roles.
The below video shows the following:
1. Import session cookie using Cookie Editor
2. Sign-in using cookie
3. Activate PIM role (Additional MFA required)
--------------------------------------------------------------------------------
MICROSOFT DEFENDER ALERTS AND DETECTION?
Part of Microsoft 365 Defender is additional protection against AiTM phishing.
Defender uses cross-signal capabilities for detecting stolen session cookies.
The alert with the name; Stolen session cookie was used is generated during the
following situation; Cookie stolen using Microsoft Edge browser and attacker
attempts to reply the stolen session cookie to access Exchange Online.
The following alerts are important in detecting AiTM phishing:
* Microsoft 365 Defender
* Stolen session cookie was used
* Defender for Cloud Apps
* Suspicious inbox manipulation rule
* Impossible travel activity
* Activity from infrequent country
* Azure AD Identity Protection
* Anomalous Token
* Unfamiliar sign-in properties
* Unfamiliar sign-in properties for session cookies
* Anonymous IP address
* Defender for Office 365
* Email messages containing malicious file removed after delivery
* Email messages from a campaign removed after delivery
* Creation of forwarding/redirect rule
* Defender for Endpoint
* Potential phishing website
After 4/5 days domain which is used for testing is visible in the “Potential
phishing website” alert.
--------------------------------------------------------------------------------
Credits to Microsoft; below Advanced Hunting queries can be used for detecting
stolen session cookies. More information can be found here.
let OfficeHomeSessionIds =
AADSignInEventsBeta
| where Timestamp > ago(1d)
| where ErrorCode == 0
| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application
| where ClientAppUsed == "Browser"
| where LogonType has "interactiveUser"
| summarize arg_min(Timestamp, Country) by SessionId;
AADSignInEventsBeta
| where Timestamp > ago(1d)
| where ApplicationId != "4765445b-32c6-49b0-83e6-1d93765276ca"
| where ClientAppUsed == "Browser"
| project OtherTimestamp = Timestamp, Application, ApplicationId, AccountObjectId, AccountDisplayName, OtherCountry = Country, SessionId
| join OfficeHomeSessionIds on SessionId
| where OtherTimestamp > Timestamp and OtherCountry != Country
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application
| where ClientAppUsed == "Browser"
| where LogonType has "interactiveUser"
| summarize Countries = make_set(Country) by AccountObjectId, AccountDisplayName
--------------------------------------------------------------------------------
COMMUNITY RESOURCES
Elli Shlomo did some excellent work in explaining the complete Pass the Cookie
flow and cookie usage flow. Pass The Cookie That Crumbles The Cloud (eshlomo.us)
Fabian Brader did some excellent work in explaining multiple methods which can
bypass the MFA authentication. Why using a FIDO2 security key is important –
Cloudbrothers
Jan Bakker explains the set-up/ configuration of Evilginx. How to set up
Evilginx to phish Office 365 credentials – Janbakker.tech
OTHER RESOURCES
Microsoft: From cookie theft to BEC: Attackers use AiTM phishing sites as entry
point to further financial fraud
Zscaler Research: Large-Scale AiTM Attack targeting enterprise users of
Microsoft email services
Tags #Azure AD Identity Protection
Previous
USE THE AZURE MONITOR AGENT (AMA) FOR DEFENDER FOR CLOUD AND MIGRATE FROM MMA
AGENT
Next
MICROSOFT DEFENDER FOR ENDPOINT SERIES – CONFIGURE DEFENDER FOR ENDPOINT – PART2
RELATED POSTS
Security
MONITOR AZURE AD BREAK-GLASS ACCOUNTS WITH MICROSOFT SENTINEL
Jeffrey, June 14, 2021 5 min read
Security
USING DEFENDER FOR ENDPOINT LIVE RESPONSE API WITH SENTINEL PLAYBOOKS/
AUTOMATION
Jeffrey, July 15, 2021 8 min read
Security
MICROSOFT DEFENDER FOR ENDPOINT SERIES – VALIDATE DEFENDER PROTECTION AND
ADDITIONAL TROUBLESHOOTING – PART6
Jeffrey, January 3, 2023 16 min read
Security
HOW WORKS MICROSOFT DEFENDER THREAT INTELLIGENCE / DEFENDER TI – AND WHAT IS THE
DIFFERENCE BETWEEN FREE AND PAID
Jeffrey, May 3, 2023 11 min read
Security
DEFENDER FOR ENDPOINT ON LINUX ONBOARDING AND BEHAVIOR MONITORING DETECTION
Jeffrey, March 29, 2021 6 min read
Security
MICROSOFT DEFENDER FOR BUSINESS – HOW TO USE IT, AND WHAT ARE THE DIFFERENCES
WITH P2?
Jeffrey, June 22, 2022 11 min read
LEAVE A REPLY CANCEL REPLY
Your comment *
Name *
Email *
Website *
Save my name, email, and website in this browser for the next time I comment.
Required fields are marked *
Δ
MICROSOFT MVP
MDE BLOG SERIES
SUPPORTING THIS BLOG
LATEST TOPICS
BLOCK GTLD (.ZIP)/ FQDN DOMAINS WITH WINDOWS FIREWALL AND DEFENDER FOR ENDPOINT
May 15, 2023 5 min read
HOW WORKS MICROSOFT DEFENDER THREAT INTELLIGENCE / DEFENDER TI – AND WHAT IS THE
DIFFERENCE BETWEEN FREE AND PAID
May 3, 2023 11 min read
BLOCK C2 COMMUNICATION WITH DEFENDER FOR ENDPOINT
May 1, 2023 6 min read
MICROSOFT DEFENDER FOR CLOUD– THE ULTIMATE BLOG SERIES (INTRO) – P0
April 6, 2023 3 min read
BLOCK “VULNERABLE/UNWANTED” APPLICATIONS WITH DEFENDER FOR ENDPOINT AND
VULNERABILITY MANAGEMENT
April 5, 2023 6 min read
MICROSOFT DEFENDER SMARTSCREEN – HOW TO USE SMARTSCREEN AND PHISHING PROTECTION
March 2, 2023 9 min read
SOCIAL MEDIA
POPULAIR TAGS
#Azure AD #Azure AD Identity Protection #Defender for Cloud #Defender for Cloud
Apps #Defender for Endpoint #Defender for Identity #Intune #MDE Series
#Microsoft Sentinel
TRENDING SLIDER
BLOCK GTLD (.ZIP)/ FQDN DOMAINS WITH WINDOWS FIREWALL AND DEFENDER FOR ENDPOINT
May 15, 2023 2
HOW WORKS MICROSOFT DEFENDER THREAT INTELLIGENCE / DEFENDER TI – AND WHAT IS THE
DIFFERENCE BETWEEN FREE AND PAID
May 3, 2023 0
BLOCK C2 COMMUNICATION WITH DEFENDER FOR ENDPOINT
May 1, 2023 0
MICROSOFT DEFENDER FOR CLOUD– THE ULTIMATE BLOG SERIES (INTRO) – P0
April 6, 2023 1
BLOCK “VULNERABLE/UNWANTED” APPLICATIONS WITH DEFENDER FOR ENDPOINT AND
VULNERABILITY MANAGEMENT
April 5, 2023 0
MICROSOFT DEFENDER SMARTSCREEN – HOW TO USE SMARTSCREEN AND PHISHING PROTECTION
March 2, 2023 2
TODAY'S PICK
* LATEST
* POPULAR
BLOCK GTLD (.ZIP)/ FQDN DOMAINS WITH WINDOWS FIREWALL AND DEFENDER FOR ENDPOINT
May 15, 2023 2
HOW WORKS MICROSOFT DEFENDER THREAT INTELLIGENCE / DEFENDER TI – AND WHAT IS THE
DIFFERENCE BETWEEN FREE AND PAID
May 3, 2023 0
BLOCK C2 COMMUNICATION WITH DEFENDER FOR ENDPOINT
May 1, 2023 0
MICROSOFT DEFENDER FOR CLOUD– THE ULTIMATE BLOG SERIES (INTRO) – P0
April 6, 2023 1
FAST RESPONSE WITH AZURE AD CONTINUOUS ACCESS EVALUATION (CAE) AND CONDITIONAL
ACCESS
October 22, 2020 0
DOWNLOADS BLOKKEREN VIA CONDITIONAL ACCESS APP CONTROL VANUIT MICROSOFT ENDPOINT
MANAGER
July 11, 2020 0
ANDROID ENTERPRISE FULLY MANAGED BESCHIKBAAR IN MICROSOFT INTUNE VOOR ZAKELIJKE
OMGEVINGEN
May 20, 2020 0
ANDROID ENTERPRISE VIA MICROSOFT ENDPOINT MANAGER ALS VERVANGER VAN ANDROID
DEVICE ADMINISTRATOR
June 9, 2020 0
© Copyright 2023 Jeffreyappel.nl
* Login
* Register
Username or Email Address
Password
Forgot Password
Remember Me
Registration is closed.