About
"Adversary-in-the-middle" (AiTM) is a relatively recent technique where an attacker not only steal a victim's credentials, but also acts as a proxy between the victim and the legitimate service. This allows the attacker to bypass most multi-factor authentication (MFA) methods, and access the victim's account by stealing their session cookies.
Understanding Impact
Business Impact
Compromised employee accounts often lead to data leaks, data loss, and unauthorized access to your Azure or corporate Microsoft 365 resources. In particular, Business Email Compromise (BEC) is a common attacker goal that leverages compromised accounts.
Technical Impact
"Adversary-in-the-middle" (AiTM) allows an attacker to "bypass" most MFA methods, including TOTP, SMS, and Microsoft Authenticator. As the attacker acts as a proxy between the victim and the legitimate service, the attacker can steal the victim's session cookies and access the victim's account without having to provide a second factor.
Detection
In an AiTM scenario, the actual Azure AD sign-in is performed from the attacker's IP address. Consequently, you can use usual telemetry to identify unusual sign-in locations or characteristics, such as Azure AD sign-in logs and Azure AD Identity Protection.
To prevent AiTM attacks, you can enforce phishing-resistant MFA methods such as FIDO2. If you're using a mobile device management solution such as Microsoft Intune, you can also enforce the use of managed devices for authentication through a conditional access policy.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:
References
From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
azure documentation
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
azure documentation
Phishing-resistant MFA methods
azure documentation
Protect against AiTM/ MFA phishing attacks
jeffreyappel.nl
Azure Sentinel rule: Possible AiTM phishing attempt
github.com