Forum Discussion

techjunk's avatar
techjunk
Brass Contributor
Feb 07, 2024
Solved

AITM Attack - Canary URL

Hello.

I am trying to work through the configuration in this article;
https://ironpeak.be/blog/azure-detecting-aitm-attacks/

 

I created the following logic app;

 

The generated URL has been added to a CSS file and uploaded as outlined in that article, and the branding changes are active. 

 

When someone logs in to something like the Azure portal the logic app is triggered, but the condition is always "false". 

 

If I look at the output the "Referer" is exactly as it should be for the condition to be true;

Any help where I am going wrong would be greatly appreciated. 

 

 

alerts
automation
playbooks
  • JanAnders45's avatar
    JanAnders45
    Feb 09, 2024

    techjunk Had a bit of struggle with the same. Referer is not found in the body, but in the header. Remove everything in request body json, then check the header stuff example 

    @triggerOutputs()?['headers']['Referer']
     
    While i have you here. As far as i can see you will only get the Referer, how will you use that further? It does not seem to be possible to get the requesting IP or User. Will you join signinslogs on useragent?
  • JanAnders45's avatar
    JanAnders45
    Copper Contributor
    Feb 09, 2024

    techjunk Had a bit of struggle with the same. Referer is not found in the body, but in the header. Remove everything in request body json, then check the header stuff example 

    @triggerOutputs()?['headers']['Referer']
     
    While i have you here. As far as i can see you will only get the Referer, how will you use that further? It does not seem to be possible to get the requesting IP or User. Will you join signinslogs on useragent?
    • techjunk's avatar
      techjunk
      Brass Contributor
      Feb 09, 2024

      JanAnders45 Thank you for the suggestion. That did the trick.

      As for your question, we haven't got that far yet, but your suggestion makes sense. 

      • Fbacchin's avatar
        Fbacchin
        Copper Contributor
        May 06, 2024
        Hi there,

        How is this logic app working for you guys ?

        What were the challenges of testing and implementing this ?
        Too many False positives ? Any True-positive?
        Have you managed to successfully detect attacks using this method?
        What about correlating the alerts with users signing session/attempt?

        Wondering if anyone else tried this approach?

        The idea of using custom a CSS template in Microsoft Entra ID Company Branding, to trigger a logic when a user visited a Microsoft login page via an AitM site/proxy (referred) seems quite clever to me and it is probably the only effective method currently available to detect such attacks while they happen and before it is too late.

Resources