Microsoft AITM honeytoken: Warning the victims

In January we launched new functionality for Attic to detect AiTM attacks targeting the Microsoft 365 tenant of customers. Using the platform of and custom CSS in the Microsoft login page. Since then, our approach has been implemented by other companies, such as EYE, CIPP and even de honey-heroes at Thinkst. This is amazing, because like this, our approach has more reach and we have a bigger impact.

EYE and CIPP also added a great improvement on our initial implementation. They modified the CSS to warn users whenever they visit a (AITM) phishing website. This is a great method, as we do not only detect a phishing attempt but we can also try to prevent the phishing attack to be successful by warning the victim. We decided to implement this technique (optionally) in our own products as well, because preventing is even better then only detecting.

How does it work?

Our earlier released detection relies on adding CSS code into the Microsoft tenant. The CSS touches our backend. The backend analyzes the incoming request. If the request originates from a phishing website, a notification is sent.

CSS offers more features then just touching our backend. It also allows us to modify the Microsoft login page. The idea is to set a background-image to the Microsoft sign in box, hosted on our backend. The backend returns a image that warns the user if the request originates from a malicious website. Otherwise, the response is empty, displaying no image at all. We can use the following updated CSS:

background: white url('') center no-repeat;


After enabling the feature, a victim will get the following behavior while logging into a phishing website:


Its great that our approach has been adopted by others and that new idea’s are added on top of it. Do you want to add this protection to your Microsoft tenant? Take a look at Attic (currently for Dutch users) or DSCM Premium.