General
Attic protects Microsoft 365 against Adversary-in-the-Middle (AiTM) attacks in two ways, using the platform of didsomeoneclone.me
Rationale
AiTM is a technique used by attackers primarily to bypass multi-factor authentication (MFA). The victim is lured into visiting a malicious URL, where a real-time clone of the legitimate Microsoft login page is displayed. The clone acts as a conduit for information between Microsoft and the victim, and vice versa, allowing the attacker to copy the entered data along the way. After successful authentication, the attacker can copy the logged-in session and thus take over the identity of the employee in question.
Multiple Checks
This functionality is installed using 2 separate checks:
-
CHK-1102 - Checks if clone detection is enabled. An Attic alarm for this Check will trigger if this detection has not yet been installed. Installation of clone detection will lead to an alarm to the Attic administrator(s) via CHK-1158 if an employee visits a clone of the Microsoft login page.
- CHK-1103 - Checks if clone mitigation is enabled. An Attic alarm for this Check will trigger if mitigation has not yet been installed. Installation of clone mitigation will show the visitor of a clone a visible warning with the urgent advice not to enter a password.
CHK-1103 - Clone Mitigation is a premium feature: only users of Attic for Microsoft 365 Premium can use it.
Attic Fix
A fix is available for both checks! These will be offered via tickets in Attic, which you can then accept.
Comments
0 comments
Please sign in to leave a comment.