Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

AITM Attack Detected via Known Phishing IP (didsomeoneclone.me) [RULE-1144]

This rule detects Adversary-in-the-Middle (AITM) phishing attacks targeting your Entra ID accounts. It triggers when a successful sign-in is recorded from an IP address that has been classified as a known AITM phishing IP address by the threat intelligence service didsomeoneclone.me.

Rationale

AITM phishing is one of the most dangerous modern attack techniques because it bypasses multi-factor authentication (MFA). In an AITM attack, a reverse proxy server is positioned between the victim and the legitimate Microsoft sign-in page. When a user enters their credentials on the phishing page, the proxy forwards them in real time to Microsoft, completes the MFA challenge, and intercepts the resulting session token. The attacker can then replay this stolen session token to gain full access to the account without needing the password or MFA again.

The service didsomeoneclone.me maintains a continuously updated database of IP addresses that have been observed hosting AITM phishing infrastructure. These IP addresses have been confirmed to have previously served phishing panels designed to intercept credentials and session tokens. A successful login from such an IP address is a high-confidence indicator that the account has been targeted by an AITM phishing attack.

This detection is mapped to MITRE ATT&CK techniques T1557 (Adversary-in-the-Middle) and T1539 (Steal Web Session Cookie). Because the IP addresses in this feed have been independently verified as malicious, this detection carries a high degree of confidence. Immediate action is recommended, as attackers typically move quickly after obtaining a session token to establish persistence, exfiltrate data, or launch further attacks.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the sign-in activity was performed by the legitimate account owner. Contact the user to confirm whether they recognize the login attempt and whether they recently clicked on any suspicious links.

    • If no: The sign-in is almost certainly the result of an AITM phishing attack, given the IP address is a known phishing proxy. Take the following containment steps immediately:

      1. Block the affected account in Microsoft Entra ID to prevent further unauthorized access.
      2. Revoke all active sessions for the user at https://entra.microsoft.com to invalidate the stolen session token.
      3. Reset the user's password and review their registered authentication methods for any newly added methods that may have been registered by the attacker.
      4. Investigate the account's activity since the time of the suspicious login using the Unified Audit Log at https://security.microsoft.com/auditlogsearch. Look for newly created inbox rules, application consent grants, email forwarding changes, or lateral phishing activity. If the scope of the compromise is unclear, consider engaging the Attic IR team for further investigation. An IR Credit Pack is required for this service.

    • If yes: The user confirms they performed the sign-in:

      1. Investigate why the user's traffic was routed through a known phishing IP address. This could indicate a compromised network, a malicious browser extension, or a man-in-the-browser attack. Treat this situation with caution.
      2. If after thorough investigation the activity can be explained by legitimate circumstances, close the incident and document the findings.

More information