I'm unclear here, how did the MFA prompt come up? The wont have access to our tenant and the MFA (Passwordless) is added to the Authenticator so creating that secure link to our tenant. If user click on the link and then authenticate, how is that somehow making the MFA work? I'm confused... Also, forwarding is globally disabled? I see what you trying to show here but not sure if this is possible if you on the new Authentication Strengths and email forwarding is disabled and PIM implemented.
With the AiTM Phishing as shown here, the whole login is in real time. The login occurs on the attackers side and the frontend you see as the user is just proxied. You send the user + pass to the AiTM infrastructure, which is in real time logging in. When MFA is enforced, this will also be proxied back to you to perform. Imagine performing a real sign in on your device and the attacker steals the cookie from your browser - now think the other way around, you are signing in on the attackers machine. As seen in this video, MFA via Authenticator (incl. number matching) works. The user receives a real push notification and logs in as usual, afaik this would be the same for passwordless with Authenticator (just without the password step). Since the login happens on the attackers infrastructure, the attacker can save the session token. This enables reusing the token/session as shown. To combat AiTM, I would recommend using Phishing resistant MFA - which would need to be enforced via Conditional Access & Authentication Strength. You could also enforce a Joined/Compliant device, which the attacker can't match. AiTM (as of now) does not work with FIDO2. You can't authenticate with your enrolled FIDO2 Entra ID credential to a third party website, since the domain/server (login.microsoftonline.com) is verified before each authentication attempt.
@@AllShowDE Ah nice one, I get it now, you login and they highjack the token and then continue the journey as normal. We def doing Compliant devices (some Hybrid) and we now removed network locations. Can't see us going FIDO2 but I can replace that with WHfB on complaint devices and Endpoint Security with a medium severity so if people get phished the device is placed in non-compliance and no access to the data until resolved... I'm trying my best to protect my customers but I feel it will be a never ending journey. Just want to say, thank❤❤s for this video, it really helped me!!! Damn I love my job!!!!
Dope!
I'm unclear here, how did the MFA prompt come up? The wont have access to our tenant and the MFA (Passwordless) is added to the Authenticator so creating that secure link to our tenant. If user click on the link and then authenticate, how is that somehow making the MFA work? I'm confused... Also, forwarding is globally disabled? I see what you trying to show here but not sure if this is possible if you on the new Authentication Strengths and email forwarding is disabled and PIM implemented.
With the AiTM Phishing as shown here, the whole login is in real time. The login occurs on the attackers side and the frontend you see as the user is just proxied.
You send the user + pass to the AiTM infrastructure, which is in real time logging in. When MFA is enforced, this will also be proxied back to you to perform.
Imagine performing a real sign in on your device and the attacker steals the cookie from your browser - now think the other way around, you are signing in on the attackers machine.
As seen in this video, MFA via Authenticator (incl. number matching) works. The user receives a real push notification and logs in as usual, afaik this would be the same for passwordless with Authenticator (just without the password step).
Since the login happens on the attackers infrastructure, the attacker can save the session token. This enables reusing the token/session as shown.
To combat AiTM, I would recommend using Phishing resistant MFA - which would need to be enforced via Conditional Access & Authentication Strength.
You could also enforce a Joined/Compliant device, which the attacker can't match.
AiTM (as of now) does not work with FIDO2. You can't authenticate with your enrolled FIDO2 Entra ID credential to a third party website, since the domain/server (login.microsoftonline.com) is verified before each authentication attempt.
@@AllShowDE Ah nice one, I get it now, you login and they highjack the token and then continue the journey as normal.
We def doing Compliant devices (some Hybrid) and we now removed network locations. Can't see us going FIDO2 but I can replace that with WHfB on complaint devices and Endpoint Security with a medium severity so if people get phished the device is placed in non-compliance and no access to the data until resolved...
I'm trying my best to protect my customers but I feel it will be a never ending journey.
Just want to say, thank❤❤s for this video, it really helped me!!!
Damn I love my job!!!!