In Attic we offer features to detect and mitigate Adversary-in-the-Middle (AITM) attacks on your Microsoft tenant. This article describes how to follow-up a detection.
Information available
Whenever a detection occurs, we have the following information about the attack:
- AITM Phishing website URL
- IP address of the victim
- Date/time of detection (UTC)
Using your web browsing logs to identify the victim
The most effective way to discover who was a victim of the attack and whether the attack was successful is to use your web browsing logs, if they are available within your organization.
In this example, we show you how to use Defender for Endpoint. The approach should be similar if you have web browsing logs in another software solution.
To identify who visited the phishing page, we are going to the Advanced Hunting feature in your Microsoft security dashboard (here).
In the Query field, we are using the following query, to search for devices that connected to the phishing domain. Replace the akxrnh.com domain with the phishing domain of your detection. Also make sure the timespan of your query covers the time of the detection. The query:
DeviceNetworkEvents
| where RemoteUrl contains "akxrnh.com"
|
If a result is shown, this reveals the DeviceName and InitiatingProcessAccountUpn fields. This is the device and employee that was targetted by the phishing attack.
Using the Sign-in logs to identify the victim
If your organization doesn't have web browsing logs available, identifying the user may be harder. In this case we recommend to look at your Microsoft Entra ID Sign-in logs (here). As the first step, search for the victim IP address that was shared in the detection. This may lead you to the user that was phished, because they may use the IP address more often. The search is performed using a filter, as shown here:
If results are returned, the User column contains the potential victim. Please note that the IP address may be shared, making it more difficult to identify the victim.
Using the Sign-in logs to check whether the attack was successful
If you are still unable to identify the victim, we encourage you to take a look at all Sign-ins that occured within your organization at the time of the detection. Answer the following questions:
- Are there any suspicious Sign-ins at the time of our detection? For example, are there login attempts originating from uncommon countries/regions?
- Are the suspicious login attempts successful or unsuccessful?
If there were no (suspicious) successful logins, you can assume that the phishing attack was unsuccessful. Our detection was triggered because one of your employees filled in their username on the phishing website. But most likely, they did not fill in their password, as there is no successful login.
Did you identify the user?
If you identified the user, we encourage you to just contact the user and ask questions to determine whether the attack was successful.
If you are still in doubt you can take precaution by:
- Resetting the users password
- Resetting the users MFA
- Revoking all existing authentication sessions
Still need help?
Contact us through Attic.
Comments
0 comments
Please sign in to leave a comment.