Forum Discussion
Solved
AITM Attack - Canary URL
Hello. I am trying to work through the configuration in this article; https://ironpeak.be/blog/azure-detecting-aitm-attacks/ I created the following logic app; The generated URL has b...
techjunk Had a bit of struggle with the same. Referer is not found in the body, but in the header. Remove everything in request body json, then check the header stuff example
@triggerOutputs()?['headers']['Referer']While i have you here. As far as i can see you will only get the Referer, how will you use that further? It does not seem to be possible to get the requesting IP or User. Will you join signinslogs on useragent?
techjunk Had a bit of struggle with the same. Referer is not found in the body, but in the header. Remove everything in request body json, then check the header stuff example
@triggerOutputs()?['headers']['Referer']
While i have you here. As far as i can see you will only get the Referer, how will you use that further? It does not seem to be possible to get the requesting IP or User. Will you join signinslogs on useragent?
JanAnders45 Thank you for the suggestion. That did the trick.
As for your question, we haven't got that far yet, but your suggestion makes sense.
- Hi there,
How is this logic app working for you guys ?
What were the challenges of testing and implementing this ?
Too many False positives ? Any True-positive?
Have you managed to successfully detect attacks using this method?
What about correlating the alerts with users signing session/attempt?
Wondering if anyone else tried this approach?
The idea of using custom a CSS template in Microsoft Entra ID Company Branding, to trigger a logic when a user visited a Microsoft login page via an AitM site/proxy (referred) seems quite clever to me and it is probably the only effective method currently available to detect such attacks while they happen and before it is too late.- We currently have this logic app in place, and it has provided a number of positive alerts. There is no direct correlation with the LA alone, but other simultaneous activity (risky sign-ins, etc...) has provided enough triangulation.