The beginning of January we released a new way to detect AiTM attacks on your Microsoft 365 environment. In just one month, we are protecting over 100 tenants with this new approach.
We were able to protect so many tenants in a short time due to our existing customers of the Attic app. Also, our previous blog resulted in many sign-ups to didsomeoneclone.me. This blog describes the lessons learned until now.
More phishing attempts then expected
Our system detects more AiTM phishing sites then I expected. In one month, we detected 162 phishing attempts on the 100+ tenants. This includes some users testing our system. But most of them are legit (AiTM) phishing attacks. As expected, larger organizations / tenants receive the most detections. Sometimes, this are a few detections a day per tenant.
False positives
We expected a low number of false positives when launching the new technique. Because nobody should include / iframe their Microsoft login page somewhere else. But you never know.
In the month up and running, we detected a total of six false positives. The false positives are other Microsoft domains that loaded our pixel on some way, triggering our system. Luckily, we already implemented a whitelisting feature in our didsomeoneclone.me backend, so excluding the false positives in our system was just a few clicks. This prevents all users from receiving alerts fromt those domains.
Some examples of false positive domains:
- login.microsoft.com
- tasks.office.com
- autologon.microsoftazuread-sso.com
Microsoft Sandboxes
This was an interesting finding: we received a high number of detections that were triggered by IP-addresses that are owned by Microsoft. We spotted a pattern like this:
In other words: the phishing site was visited by a Victim originating from a Microsoft IP-address. Also, this was specific to some tenants. Not all tenants seem to have this issue. What happens here?
After some analyses, we do think that Microsoft Sandboxes are visiting our links, whenever they appear in user mailboxes. The sandboxes, are visiting the phishing website. This triggers our detection: win! Not everyone is receiving those detection, because not all tenants have the functionality due to missing licenses.
We don’t want to send notifications to our customer when Microsoft Sandboxes trigger our detection. Because it’s not a real victim falling into a phishing attack. We added a feature to the didsomeoneclone.me backend, that allows us to exclude those IP-addresses from the notifications.
It’s important to us that customer only receive alerts when it matters.
Browser-in-the-Browser
We ran a test running a new BITB phishing approach. With a Browser-in-the-Browser phishing attack, a Microsoft login page is embedded within another page, imitating a complete browser window. The following GIF shows the concept really well:
We tried this attack against a Microsoft tenant protected with our technique. A cool fact is that our trick & system also detects these kind of phishing attacks. Another win 😊
This screenshots shows our pixel being loaded:
Our first non-public phishing framework
A few days ago we detected our first AiTM framework that is not a default Evilginx install, or any other public framework. We love to research such framework to look how they are implemented.
The framework seems to be related to a specific hacking group. It’s using purely PHP to create a proxy between the victim and Microsoft. The proxy implementation seems to be obtained from this webshell. They also integrated an anti-robot solution to prevent being detected by bots.
Interesting fact: this phishing site is now online for 5 days. Not detected by Microsoft Safelinks. So the anti-robot technique, seems to be effective. Because, default Evilginx instances are taken down very quickly, as they are known.
Developing a fingerprinting tool
As mentioned, we love to investigate trends like AiTM. This new system gives us interesting insights, but also a lot of information. Therefor, Rik, started developing a fingerprinting tool. This allows us to fingerprint every AiTM site that appears online. It attempts to fingerprint the site using a database of indicators. The database with indicators and “clubs” is growing every day. This allows us to track the individual actors. This is an example of the results:
Conclusion
To be continued…. we will continue our research.