Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

AITM Attack Detected via Azure Infrastructure [RULE-1145]

This rule detects Adversary-in-the-Middle (AITM) phishing attacks targeting your Entra ID accounts. It triggers when a successful sign-in is recorded from an IP address belonging to Microsoft Azure, which can be used to host AITM phishing proxy infrastructure.

Rationale

AITM phishing is one of the most dangerous modern attack techniques because it bypasses multi-factor authentication (MFA). In an AITM attack, a reverse proxy server is positioned between the victim and the legitimate Microsoft sign-in page. When a user enters their credentials on the phishing page, the proxy forwards them in real time to Microsoft, completes the MFA challenge, and intercepts the resulting session token. The attacker can then replay this stolen session token to gain full access to the account without needing the password or MFA again.

Microsoft Azure is a cloud computing platform that provides virtual machines, web hosting, and other infrastructure services. Threat actors frequently abuse Azure to host AITM phishing panels because Azure IP addresses may appear trustworthy and are less likely to be blocked by corporate firewalls or security products. Additionally, the ease of provisioning Azure resources allows attackers to quickly spin up and tear down phishing infrastructure, making it harder to track.

This detection is mapped to MITRE ATT&CK techniques T1557 (Adversary-in-the-Middle) and T1539 (Steal Web Session Cookie). A successful login from an Azure IP address, when the account owner did not initiate the sign-in, is a strong indicator that the account has been compromised through an AITM phishing attack. Immediate investigation and containment are recommended.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the sign-in activity was performed by the legitimate account owner. Contact the user to confirm whether they recognize the login attempt and whether they recently clicked on any suspicious links.

    • If no: The sign-in is likely the result of an AITM phishing attack. Take the following containment steps immediately:

      1. Block the affected account in Microsoft Entra ID to prevent further unauthorized access.
      2. Revoke all active sessions for the user at https://entra.microsoft.com to invalidate the stolen session token.
      3. Reset the user's password and review their registered authentication methods for any newly added methods that may have been registered by the attacker.
      4. Investigate the account's activity since the time of the suspicious login using the Unified Audit Log at https://security.microsoft.com/auditlogsearch. Look for newly created inbox rules, application consent grants, email forwarding changes, or lateral phishing activity. If the scope of the compromise is unclear, consider engaging the Attic IR team for further investigation. An IR Credit Pack is required for this service.

    • If yes: The user confirms they performed the sign-in, possibly through a legitimate Azure-based application or service:

      1. Verify whether the organization uses Azure-hosted applications, Azure Virtual Desktop, or other services that could cause sign-ins to originate from Azure IP addresses.
      2. If the activity is confirmed as legitimate and expected, close the incident. Consider documenting the known Azure-based services to prevent future false positives.

More information