Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

AITM Attack Detected via Suspicious User Agent Pattern [RULE-1150]

This rule detects Adversary-in-the-Middle (AITM) phishing attacks targeting your Entra ID accounts. It triggers when a sign-in attempt is recorded using a User Agent string that matches patterns known to be associated with AITM phishing platforms. Both successful and attempted logins are flagged by this rule.

Rationale

AITM phishing is one of the most dangerous modern attack techniques because it bypasses multi-factor authentication (MFA). In an AITM attack, a reverse proxy server is positioned between the victim and the legitimate Microsoft sign-in page. When a user enters their credentials on the phishing page, the proxy forwards them in real time to Microsoft, completes the MFA challenge, and intercepts the resulting session token. The attacker can then replay this stolen session token to gain full access to the account without needing the password or MFA again.

AITM phishing platforms such as Evilginx, Modlishka, and similar toolkits generate distinct User Agent patterns when proxying authentication requests to Microsoft. These patterns differ from those of legitimate browsers because the phishing proxy software modifies or generates its own User Agent strings during the authentication relay process. By detecting these characteristic User Agent patterns in sign-in logs, this rule can identify AITM attacks regardless of the IP address or hosting infrastructure used by the attacker.

This detection is mapped to MITRE ATT&CK techniques T1557 (Adversary-in-the-Middle) and T1539 (Steal Web Session Cookie). User Agent-based detection provides an additional layer of defense that complements IP-based detection rules, as it can catch attacks originating from IP addresses that have not yet been classified as malicious. Immediate action is recommended for successful logins, as attackers typically move quickly to establish persistence and exfiltrate data.

Follow-up

Follow these steps to adequately address this detection:

  1. Verify whether the sign-in activity was performed by the legitimate account owner. Contact the user to confirm whether they recognize the login attempt and whether they recently clicked on any suspicious links. Pay close attention to the User Agent string reported in the alert details.

    • If no: The sign-in is likely the result of an AITM phishing attack. Take the following containment steps immediately:

      1. Block the affected account in Microsoft Entra ID to prevent further unauthorized access.
      2. Revoke all active sessions for the user at https://entra.microsoft.com to invalidate the stolen session token.
      3. Reset the user's password and review their registered authentication methods for any newly added methods that may have been registered by the attacker.
      4. Investigate the account's activity since the time of the suspicious login using the Unified Audit Log at https://security.microsoft.com/auditlogsearch. Look for newly created inbox rules, application consent grants, email forwarding changes, or lateral phishing activity. If the scope of the compromise is unclear, consider engaging the Attic IR team for further investigation. An IR Credit Pack is required for this service.

    • If yes: The user confirms they performed the sign-in:

      1. Investigate the source of the unusual User Agent string. This could be caused by a non-standard browser, an automated tool, or a browser extension that modifies the User Agent. Verify whether the reported User Agent matches the software the user was actually using.
      2. If the activity is confirmed as legitimate and the User Agent pattern can be explained, close the incident. Consider documenting the finding to prevent future false positives.

More information