2NS Labs

Blog: Detecting AiTM phishing attacks against Entra ID using Canarytokens

4 min

tl;dr

Phishing attacks are more complex nowadays and often leverage Adversary-in-the-Middle (AitM) techniques to “bypass” a victim’s MFA. In this blog post we show you how Canarytokens can be used to notify responsible personnel, when one of your users loads the Microsoft login through an adversary-controlled phishing site.

AitM Phishing Attacks

Phishing attacks have posed a constant threat to users for many years now and with improvements in security measures, like for example implementation of modern Multi-Factor Authentication (MFA) methods, also attackers have improved their attacks. AitM attacks, where the attacker is intercepting and manipulating the victims communication to the target, have become an every day reality. Those kind of attacks allow the attacker to also capture MFA tokens and use them to login to the victims account.

In the Microsoft 365 environment, where users log in to their Entra ID tenant through Microsoft’s login service on the http://microsoft.com domain, attackers trick victims into visiting a site they control, which then proxies the login traffic to the legitimate Microsoft login page. In this way, they can capture the cookies and tokens granted to the victim and authenticate to the target service in the victim’s name.

In a normal login, the referring host calling the Microsoft login is coming from a http://microsoft.com domain. This is however not the case in AitM attacks and this is where Canarytokens come into play.

Canarytokens

Canarytokens are small, customizable digital traps designed to detect unauthorized access or activity in a system or service. They can be generated in different shapes – files, URLs, API keys, or other resources – and alert you when someone interacts with them by quietly sending a notification (like an email or webhook) to the configured target. This helps security teams to identify breaches or insider threats early on.
This service is provided by Thinkst Canary and the tokens can be generated for free on the following website: https://canarytokens.org/nest/

Using Canarytokens in the Microsoft Login

Now, to get notified if someone tries to phish one of your users M365 account via AitM phishing, you can go to the Canarytokens website, choose ”Azure Entra ID login”, fill in the recipient email for the notification emails (e.g. your SOC’s mailbox) and a message, which will remind you for which target this is meant to be (for example the target tenant name or ID in which you will use this ”trap”):

After you have created the canarytoken, you will be displayed with the possibility to deploy the resulting CSS to the Entra ID portal. In this example we choose the ”Manual Flow” and click on Download CSS:

The downloaded CSS file will contain something like the following example (ignoring the <pre>):

Now login with an account with the necessary permissions to change the Company Branding settings (e.g. ”Organizational Branding Administrator”) to your Entra ID portal, go to Manage > Company branding and click on ”Edit”. Change to the Layout page and under Custom CSS, choose the download CSS file from the Canarytokens website. Save the settings and you are ready to go!

It is also possible to add a custom webhook for an event-driven approach, which for example allows to send alerts directly into your SIEM. You can find for example a step-by-step documentation on Thinkst Canary’s website for implementing Webhooks notifications for Microsoft Sentinel: https://help.canary.tools/hc/en-gb/articles/4523140483101-How-do-I-configure-Webhook-notifications-for-Microsoft-Sentinel

Once a user logs in to your tenant, and this login was served via an attacker controlled website (causing the referrer to not be a microsoft.com domain), this will now trigger a notification to your provided email address or webhook:

In the details of the canarytokens’ hit, you will be able to see the relevant referrer which was logged when this request was sent:

This is the domain, under which the attacker is hosting it’s phishing page.

Note: If you have legitimate domains hosting the Entra ID login, you have to whitelist those domains: https://help.canary.tools/hc/en-gb/articles/20387365960349-How-do-I-ignore-domains-on-my-Azure-Entra-ID-Login-Canarytokens

Bypassing Canarytokens

Please note that, as in other areas of cybersecurity, this is a cat-and-mouse game: the detection method is not 100% reliable and documented techniques exist to bypass AITM detection. However, because it is easy to implement, it is recommended to deploy it as an additional layer of defense.