Microsoft365 Portal Clone Detected [CHK-1158]
This alert indicates the detection of a clone of the Microsoft365 login page, potentially signifying an Adversary-in-the-Middle (AiTM) attack. Immediate action is required to protect the affected employee's account.
The detection will notify you of a user visiting an AiTM site. But we do not know which user. You can use a proxy or EDR logging to search for the specific user that visisted the malicious site.
Rationale
AiTM attacks are a common method used to bypass multi-factor authentication (MFA). The attacker lures the victim to a malicious URL that displays a real-time clone of the legitimate Microsoft login page. This clone acts as a conduit for information between Microsoft and the victim, allowing the attacker to copy the entered data and potentially take over the victim's identity.
Fix
To fix it yourself:
- Investigate the clone detection using the details in the alert.
- Check the sign-in log in Entra ID for suspicious login attempts around the time of detection to identify the user: https://entra.microsoft.com/admin/identity-governance/sign-ins
- Check web browser logs, such as Defender DeviceNetworkEvents, to determine who visited the phishing site. https://security.microsoft.com/deviceevents
- If you have identified the user, follow the steps below. If you do not see any suspicious login attempts, the victim likely did not enter credentials. Verify this with the user.
- Reset the user's password
- Remove logged-in user sessions
- Inform the victim
If you need help with these steps, the Attic IR team can perform them for you. For this, you will need an IR Strippenkaart.
Impact
Taking these steps will prevent the attacker from gaining further access to the victim's account and will protect the integrity of your organization's data.
More Information
For more details, refer to the following resources: