AiTM Clone Detection and Mitigation [CHK-1102]
Attic safeguards Microsoft 365 from Adversary-in-the-Middle (AiTM) attacks using the platform of didsomeoneclone.me. This is achieved through two checks, CHK-1102 and CHK-1103, which detect and mitigate clone attacks respectively.
Rationale
AiTM attacks are primarily used to bypass multi-factor authentication (MFA). Attackers lure victims to a malicious URL that displays a real-time clone of the legitimate Microsoft login page. This clone acts as a conduit for information between Microsoft and the victim, enabling the attacker to copy the entered data and take over the identity of the victim.
Fix
An automated fix is available through Attic. These fixes will be offered via tickets in Attic, which you can then accept.
To fix it yourself:
For CHK-1102 - Contact your Attic operator to enable the Clone Detection feature for your environment.
For CHK-1103 - This is a premium feature, available only to users of Attic for Microsoft 365 Premium. Contact your Attic operator to enable the Clone Mitigation feature for your environment.
Impact
Once clone detection (CHK-1102) is enabled, an alarm will trigger if an employee visits a clone of the Microsoft login page. For clone mitigation (CHK-1103), a visible warning will be shown to the visitor of a clone with the urgent advice not to enter a password.