Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

AITM Attack Detected via Amazon Web Services Infrastructure [RULE-1146]

This rule detects Adversary-in-the-Middle (AITM) phishing attacks targeting your Entra ID accounts. It triggers when a successful sign-in is recorded from an IP address belonging to Amazon Web Services (AWS), which can be used to host AITM phishing proxy infrastructure.

Rationale

AITM phishing is one of the most dangerous modern attack techniques because it bypasses multi-factor authentication (MFA). In an AITM attack, a reverse proxy server is positioned between the victim and the legitimate Microsoft sign-in page. When a user enters their credentials on the phishing page, the proxy forwards them in real time to Microsoft, completes the MFA challenge, and intercepts the resulting session token. The attacker can then replay this stolen session token to gain full access to the account without needing the password or MFA again.

Amazon Web Services is a major cloud computing platform that provides virtual servers, hosting, and other infrastructure services. Threat actors frequently abuse AWS to host AITM phishing panels because AWS infrastructure is widely used, making traffic from these IP ranges appear routine. The scalability and global reach of AWS allow attackers to rapidly deploy phishing infrastructure close to their targets and dispose of it quickly after use, making forensic investigation more difficult.

This detection is mapped to MITRE ATT&CK techniques T1557 (Adversary-in-the-Middle) and T1539 (Steal Web Session Cookie). A successful login from an Amazon IP address, when the account owner did not initiate the sign-in, is a strong indicator that the account has been compromised through an AITM phishing attack. Immediate investigation and containment are recommended.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the sign-in activity was performed by the legitimate account owner. Contact the user to confirm whether they recognize the login attempt and whether they recently clicked on any suspicious links.

    • If no: The sign-in is likely the result of an AITM phishing attack. Take the following containment steps immediately:

      1. Block the affected account in Microsoft Entra ID to prevent further unauthorized access.
      2. Revoke all active sessions for the user at https://entra.microsoft.com to invalidate the stolen session token.
      3. Reset the user's password and review their registered authentication methods for any newly added methods that may have been registered by the attacker.
      4. Investigate the account's activity since the time of the suspicious login using the Unified Audit Log at https://security.microsoft.com/auditlogsearch. Look for newly created inbox rules, application consent grants, email forwarding changes, or lateral phishing activity. If the scope of the compromise is unclear, consider engaging the Attic IR team for further investigation. An IR Credit Pack is required for this service.

    • If yes: The user confirms they performed the sign-in, possibly through a legitimate service hosted on AWS:

      1. Verify whether the organization uses AWS-hosted applications or services that could cause sign-ins to originate from Amazon IP addresses, such as VPN solutions or web applications running on AWS infrastructure.
      2. If the activity is confirmed as legitimate and expected, close the incident. Consider documenting the known AWS-based services to prevent future false positives.

More information