Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

AITM Attack Detected via CloudFlare Infrastructure [RULE-1143]

This rule detects Adversary-in-the-Middle (AITM) phishing attacks targeting your Entra ID accounts. It triggers when a successful sign-in is recorded from an IP address belonging to CloudFlare, which is commonly used to host AITM phishing proxy infrastructure such as CloudFlare Workers.

Rationale

AITM phishing is one of the most dangerous modern attack techniques because it bypasses multi-factor authentication (MFA). Unlike traditional phishing that only captures a username and password, an AITM attack uses a reverse proxy server positioned between the victim and the legitimate Microsoft sign-in page. When a user enters their credentials on the phishing page, the reverse proxy forwards them in real time to Microsoft, completes the MFA challenge on the user's behalf, and then intercepts the resulting session token. The attacker can then replay this stolen session token to gain full access to the account without needing the password or MFA again.

CloudFlare services, particularly CloudFlare Workers, are frequently abused by threat actors to host these AITM phishing panels. A successful login originating from a CloudFlare IP address is therefore a strong indicator that an account has been compromised through an AITM phishing attack.

This detection is mapped to MITRE ATT&CK techniques T1557 (Adversary-in-the-Middle) and T1539 (Steal Web Session Cookie). Early detection is critical because attackers typically move quickly after obtaining a session token, registering new MFA methods, creating inbox rules, or launching further phishing campaigns from the compromised account.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the sign-in activity was performed by the legitimate account owner. Contact the user to confirm whether they recognize the login attempt and whether they recently clicked on any suspicious links.

    • If no: The sign-in is likely the result of an AITM phishing attack. Take the following containment steps immediately:

      1. Block the affected account in Microsoft Entra ID to prevent further unauthorized access.
      2. Revoke all active sessions for the user at https://entra.microsoft.com to invalidate the stolen session token.
      3. Reset the user's password and review their registered authentication methods for any newly added methods that may have been registered by the attacker.
      4. Investigate the account's activity since the time of the suspicious login using the Unified Audit Log at https://security.microsoft.com/auditlogsearch. Look for newly created inbox rules, application consent grants, email forwarding changes, or lateral phishing activity. If the scope of the compromise is unclear, consider engaging the Attic IR team for further investigation. An IR Credit Pack is required for this service.

    • If yes: The user confirms they performed the sign-in, possibly while using a VPN or cloud-based service that routes traffic through CloudFlare:

      1. Verify whether the organization uses services or VPN solutions that route traffic through CloudFlare IP addresses, which could explain the detection.
      2. If the activity is confirmed as legitimate and expected, close the incident. Consider documenting the known CloudFlare usage to prevent future false positives.

More information