General
This check verifies if clone detections have occurred, indicating an Adversary-in-the-Middle (AiTM) attack on one of your employees.
An alarm from CHK-1158 means that at this moment an employee is visiting a phishing page. They may have possibly left their password there.
Treat this alarm with high priority!
Rationale
AiTM is a technique used by attackers primarily to bypass multi-factor authentication (MFA). The victim is lured into visiting a malicious URL, where a real-time clone of the legitimate Microsoft login page is displayed. The clone acts as a conduit for information between Microsoft and the victim and vice versa, allowing the attacker to copy the entered data along the way. After successful authentication, the attacker can copy the logged-in session and thus take over the identity of the employee in question.
Installation of Clone Detection is managed with CHK-1102.
Follow-up
Perform these steps to adequately follow up on this detection:
- Investigate whether the victim is logged into the phishing site:
- Contact the employee by phone to verify this
- Check the sign-in logs in Entra ID for login attempts around the time of detection
- If the victim is indeed logged in via the phishing site:
- Reset the user's password
- Remove logged-in user sessions
- Inform the victim
Zolder can assist with these actions and answer related questions through a follow-up investigation. You can inquire about this via the Attic ticket.
Comments
0 comments
Please sign in to leave a comment.