Attic adds extra protection against AiTM attacks to the Microsoft 365 organization. For this, the functionality of didsomeoneclone.me (DSCM) is used.
What is AiTM?
AiTM stands for "Adversary-in-the-Middle" and means that a malicious person secretly nestles between the receiver and sender of information. From that position, the attacker can then view the exchanged information and abuse it for his own gain.
AiTM and Microsoft 365
This attack tactic was not exclusively designed for Microsoft 365. But in the Microsoft 365 context, an AiTM attack is mainly used to steal login credentials, or rather: logged-in user sessions.
A stolen session, can subsequently be 'replayed' by the attacker in their own browser to gain access to the account.
The following video explains how such an attack works:
POC Demonstration
Attic against AiTM
Attic's protection against AiTM attacks works in 2 steps, which are available depending on your Attic subscription.
- Detection: (FREE) Here, the DSCM technology is used to recognize clones of your Microsoft login page. When an employee visits such a clone, you will receive a notification via Attic.
- Mitigation: In the Attic for M365 Premium subscription, we add an extra configuration that shows the visitor of a clone page a visible warning and is therefore stopped BEFORE he/she enters a password.
Example AiTM Mitigation:
Comments
0 comments
Please sign in to leave a comment.