Connection to adversary-in-the-middle (AiTM) phishing site -

Copper Contributor

Hello all,

I have a strange Defender alert.


User is opening SharePoint/OneDrive on a terminal server (RDP connection) with Mozilla Firefox and the event below appears.

Mozilla Firefox is stock and other users do not create this kind of alert.

There is no visible Add-on installed, which could cause this issue.


I cannot find any information about


Connection to adversary-in-the-middle (AiTM) phishing site

firefox.exe (PID: 31868)

firefox.exe (PID: 7788)




3 Replies

Hello @ENVRobin,


domain is definitely malicious and has been reported as phishing. You may find plenty of artifacts associated here:

You may want to check the Delivery method, I can see that Firefox has been spawned from Outlook. Could someone have opened a phishing email? It's a common practice to host suspicious files in sharepoint and then point the suspect to a malicious page luring for credentials.


If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

@cyb3rmik3 the situation is really strange because it looks like the server is really empty and the user is not working as much with this server. So there is Outlook installed and Firefox to do sometimes a little research, but this user has its workstation/laptop to do its business.


The mail which has created an alert was SharePoint Online via direct sharing from another colleague inhouse. So technically it was Microsoft, who sent out the mail and nobody was between.


We are using Office 365 without hybrid setting, and we are also cloud only with Exchange Online and no weird third party anti spam provider and so on. So everything looks like best practise except using Office 365 on Windows Server ;)


I have now forced the user to use MS Edge and currently there is no new alert. Also opening Firefox several time with opening the shared OneDrive file has not created an alert each click. It was every 10th time I tried.


I have then cleared out Firefox cookies and cache, checked website push notifcations settings and so on, because I think there was maybe something loading in background by opening.


Hopefully this connection will never happen again :)