@@ElliotMunro yes, or even if they know the password, let the password manager fill it in and do what it's made for. I do that all the time and it's saved me more than once because it actually reads the ASCII URL and isn't fooled by similar Unicode characters.
Paradoxically if a user needs to login on a different URL the password may not be auto filled. (I.e logging in with a Google account to Google play vs Gmail) In this case a user may search their password manager for their login and copy it into a potentially malicious page.
Yep! Based on my experience, I've seen some older people in my family use text files instead of password managers, so I imagine such people would still fall for phishing attacks.
@@kbhasi My dad uses sticky notes that he carries around. I keep telling him to use a password manager, but he either pretends he doesn't hear anything, or starts talking about how Face ID sends your face to the government, and how he wants to wear a face mask to stop it. At this point I gave up on him, and I don't care if he loses a password or gets something stolen because I warned him, and he didn't listen.
Conditional Access policies that check client posture are huge in preventing this kind of attack, and are totally transparent, so no additional burden on the user.
Unfortunately, you can implement all the security in the world but if a user is duped into giving away access, there's not much you can do about it. Every organisation is different but securing systems is best achieved in layers. For M365, Conditional Access Policies is the way to go (ie: MFA, device filtering, named locations, restrict access to only the users who require it, etc). Hackers look for the low hanging fruit and will move on to the next unsuspecting victim .
Yes because companies send their employees unsolicited emails which contain links that the employee needs to click to access online training, for instance. Thus making the employees diligence a single point of failure and the only safeguard against attackers. I've been warning about this for years but to no avail.
That's a fair bit simplistic. Phishing has gotten very sophisticated. We regularly get hyper-specific phishing mails, like mentioning collegues and topics tailored to the individual. Incorporating information from LinkedIn, publications, public repos etc. On first and second glance super real looking! Scary stuff. 99% is identified, but it takes one well crafted mail...
@@crangosNot just this, but if they ever manage to phish someone that you’ve emailed in the past, then they’ll phish you from someone you actually communicate or work with regularly. And they’ll even hijack existing legitimate email threads to get you to click on the link. Couple that with things like punycode domain names, zero-width fonts, and other techniques, and they can easily bypass most email security tools, the most diligent and security-educated users, and the whole nine yards.
was wondering momentarily why the Clarion repo stars surged yesterday 🤣 Thanks for the shoutout Elliot. One point of clarification: Clarion, by itself, doesn't render that cool warning CSS that you see in the demo video. That's an additional feature specific to CIPP which was developed by CIPP's maintainer.
CIPP is open source right? Is it possible for us to add that functionality to Clarion ourselves? I don't need CIPP because I am just a sysadmin, not an MSP but I want this feature.
🎉 great video. What about the Azure to Azure emailing using Powershell and Microsoft direct send. Most environments aren’t preventing these. You could block hard fails for SPF. Reject messages that aren’t encrypted using TLS and some others.
It would require additional backend work for Microsoft, but the cookie or token that they issue out could contain the IP address that requested the token/cookie and they would have to validate that part during the Auth process that every request made matches the IP address from within the cookie or token.
There are still bypasses to this even if you did it. The attacker would only need to proxy your login from their own IP and then they own the session, not you. MFA is good, but it isn’t foolproof. Passwordless (e.g., FIDO2) is the future.
In this example the attacker is using their own IP to connect. The victim never connected to m365. They gave both authentication tokens to the attacker and the attacker passed them onto m365 to get the auth cookie.
This is why I don't even know the passwords I use. I store them in the browser and if the link doesn't match then I can't even enter the password if it's not saved.
@@sofiedotcafe Hope your browser never ever loses track of its data like Firefox occasionally does after an auto update. I recommend backing up your profile from time to time, or using an add-on that syncs the data somewhere.
@@sofiedotcafeAt some point the password needs to be decrypted no? Or is it sent to the remote side encrypted? I don't think that it is. Would not be hard to pull that out of memory from a compromised system.
You would think that the two factor cookie would only be valid for one login attempt for that device, with that browser with that ip address. If two factor authentication is being used it already means something is unusual about the login.
10-15 years ago or so I gave a presentation at a university lecture hall “On The Security of Systems and Applications”. One of the audience nearly sued me. Of course I ran a NAT hijack of that segment of the campus network. Of course I ran automatic MITM session hijack over that stream of data. Of course I had software automatically posting as captured users, on their own accounts, that “I should probably pay more attention during a security talk.” Opening the presentation by sending an e-mail to everyone present, from Bill Gates, containing a one trillion dollar signed PDF refund notice from Amazon. That… left a few jaws on the floor. But there were still people who couldn’t resist Facebook or Twitter while I presented. Come on, children. Be smarter. (These were not actually children.)
Does this attack work if the User is using their registered Microsoft Authenticator app as 2FA? When my MSA wants to check my identity they display a number on the screen and ask me to open my MS Authenticator app and click the corresponding number from the list on the screen in the Authenticator app. Seems to me this approach would foil this MITM attack?
It still works. The hacking tool is logging into the real m365 site in the background and grabs the session cookie when it's done. The user will see the Auth pop up on the app as usual, and click ok. So it doesn't matter which second factor is used, if the user is tricked, the exploit works.
@@cad4246there is a new feature you can turn on which shows the location of the request, it wont match the user and a savvy user would realize that. Problem is, a savvy user wont be logging in a fake site to begin with!
Only if you don't pay attention. The app will tell you the browser and location of the login request. This attack will make the request from the attacker's computer and you will find the mismatched information. However the attacker also do know which city and browser you are using and is possible to proxy the request to try to keep it the same, so the only indication they cannot spoof is the IP address so you will have to pay attention to that.
Surely Microsoft are issuing takedowns on the malicious domains? If so how quickly are they able to react and create new ones? Would seem to me the effectiveness of this technique would reduce the more unlike the original domain it becomes
The evilginx tool can be hosted on a private server by anyone, and they can register any domain they like for their phishing URLs. Microsoft’s defender for endpoint does generate alerts when a device connects to a site recognised as an ‘adversary in the middle’ but it’s a whack a mole approach where new domains aren’t identified and blocked right away.
Great video Elliot! I've set up Clarion and an instance of Evilginx to test this out. Clarion detects the malicious URL but I don't know how to change the CSS of the login page to display the warning, how did you manage to do that? Could you point me in the right direction? Also, can Clarion be used for production, I would like to set this up so users get warned when accessing a proxy page of the microsoft login.
We used a tool called CIPP to deploy it as an MSP, but from what I can see on clarion’s GitHub guide, you go to the company branding setting in Entra ID and update the CSS there.
Literally the only times I click links in my email is after making a new account somewhere and after ordering something (when I'm not using Amazon). I ignore everything else
Can setting policies like Impossible travel detect and block sign-in attempts that occur from geographically distant locations within a timeframe that's impossible for normal travel ?
Don’t forget thought that a user may sign in from their home, then vpn and or Remote Desktop into another computer on a network in a different distant location which could seem like impossible travel for a human but normal for internet traffic.
It might be worth considering having the Mfa device location be tracked but then there are other possible issues like privacy, and false positives locking you out too.
Yep, impossible travel alerts will be generated by these attacks if the user's company has Defender for Cloud Apps, and conditional access policies that block the attackers countries will stop it as well. Attackers can impersonate a victims' country with VPNs, so other methods need to be used to stop this. Eg stricter conditional access policies with continuous access evaluation based on device compliance/allowed countries, phishing resistant MFA, identity risk policies etc
The cookie was generated on the attacker's device not the victim's. The victim is tricked into providing password and then completing mfa. Attacker is connecting to the real m365 themselves, pass through the password, and then just waits a moment for the user to do the MFA. The tool then outputs the cookie at the end for the attacker to use on the same device.
Firstly, great vid, thank you. Blocking countries is great...until the Bad Actor routes in via a domestic IP address, like we had recently. How about Phishing Resistant MFA?
This may be a dumb question and I'm missing the obvious, but how does this fake form know the user's cell phone number to send them the MFA code? Wouldn't the user's account already need to be compromised in order for the attacker to know the number? Or is it assumed that some other social engineering has taken place to acquire it?
The form doesn not know the users details. The tool does the first part of the logon in the background. This triggers are real SMS to user. The user gets the txt and then they enter the CODE in the fake CODE screen. Now the hacker has password and the an actual live code good for 30 secs. Too easy. The problem remains dickheads clicking on fake links to begin with. Hard to protect people from themselves.
Thanks. So is this an actual login form from Microsoft just embedded into a fake website which then uses the malicious software to capture the keystrokes? @@Gebes
@@DeronSizemore that's right, the evilginx tool presents the actual Microsoft login screen to the user, but intercepts all information exchanged to and from Microsoft and the user, including the authentication cookie
Doesn't something like Microsoft Sentinel have the capability to force a reset of your password if it detects abnormal access to company resources (at least in Azure)?
Great information and easily digestible. Wouldn't a possible answer make six digit 2FA codes single use? It's my understanding that 2FA codes (currently) rotate through an authentication algorithm on a 60s timeframe, but that's for a single-dimensional model. If each 60s timeslot was then vectored so the first request generated the "standard" 2fa, but immediately expired that token and algorithmically generated a new token - the attacker would not have the public/private key combo necessary to follow that sequence, so the stolen 2FA key would be denied as "already used". Only the owner of the Public/Private pair would know the next key in the sequence. Now granted, it would be a race condition between the attacker and authorized user at that point. To my thinking, that should plug all the holes? And yes, using a password manager for all of this would solve everything, but good luck getting Granny to sign on to that model...
The token is single use, but the tool is presenting the login information to Microsoft as the user logs in (thats how it knows the user mobile number). Once the token is presented they get the cookie
This was an obvious attack from the inception of how MFA is implemented and our current PKI-centric authentication models. I created a new protocol that came naturally from my semantic version control approach that utilizes Merkle DAGs/hypergraphs. My driving use case wasn't security, but the transactional nature of exchanging graphs was needed and the authn side of it is a natural layer on top of this transactionality. The mechanism works similarly to how today's sphincs algorithm works, and it has qualities of the double-ratchet mechanism used in signal's encryption protocol. Unfortunately, security people are pretty hoity toity and don't want to stick their head out of the box to make a lot of money. Let somebody else make all that money, right?!
How about doing the only thing that seems to work for companies like Microsoft/Google whitepapers ? Don't rely on user URL recognition and mendate U2F with FIDO2 keys which enforces URL signature by design ? (For Microsoft EntraID required advanced authentication package a few years ago). Security awareness is cute for feel good compliance but i have never seen actually work in red teaming. It doesn't work at scale as 1 employee in 10 000 spam is enough to get a beachhead in a company (salary/dresscode or more salacious company product info leak and you always get a few hundred people who will click no matter the training).
As an MSP we’ve got to work with our customers to roll out appropriate security measures. FIDO2 keys are an ideal solution and we use them internally, however the price, change of process, and trust in other MFA methods has been a barrier for some small businesses. Our approach to address attacks like these is to first remediate with low user impact changes on the services we manage for customers, and plan the roll out of higher user impact changes during customer meetings. While its effectiveness can be debated, security awareness training has its benefits - it’s requested by insurers here in Australia for Cyber Insurance and is part of the CIS Controls framework that we build our services around.
Don't click on any links in email from anyone. If you don't recognize the link, Google it to see if anyone else has had a problem. If not, type the URL into your browser manually.
At least you ended with what you should be recommending in todays day and age, FIDO credentials, hardware bound passkeys(security keys like yubikey) and zero trust. I think going password less should be a focus with phishing resistant MFA by using both syncable & hardware bound passkeys is the future
That MFA implementation by Microsoft is really not up to par! Our system only allows an MFA code to be used once. Similar to how you can associate an IP address with a session, we can also record the 'timecode' (epoch % 30) for each account login. When a user successfully authenticates, we not only record their IP address but also the timecode. If there's already an authenticated session with that timecode, we reject the second attempt. Additionally, our system essentially creates a 'mutex' based on the email used. This means that if a second session with the same email is initiated, that request is blocked until the first authentication session is completed, ensuring that simultaneous logins are not possible. This provides a straightforward way to prevent a user from being authenticated twice using the same code...
You've missed the evil genius of how this software circumvents the MFA. The MFA code here is only used once, always from the attacker's IP address, and without delay; the user types it into a form that submits it to the attacker's software, and the attacker's software sends it on to Microsoft's login server only once without storing it. The magic happens when Microsoft's login server responds with the cookies that the customer's browser will use in the future, but they never reach the customer's browser (or IP address). They're kept by the attacker, and can be copied straight into the attacker's browser, still only in one place with the right IP address and timing. Instead of getting the cookies, the customer gets a redirect to the real Office home page. They were probably already logged in, so they don't notice anything going wrong.
@@CareyEvans but wouldn't 2 logins from different ips but the same session ID be detected by Microsoft. I mean- 2 identical session IDs should not even be permitted. ??? It doesn't sound like it would be difficult to check for at Microsoft's end.
@@lynskyrdThe customer's existing session ID cookies are safe and untouched; there's malware that steals them, but that's a completely different problem. The new session ID cookies from this attack never leave the attacker's control, so there's nothing Microsoft sees except an old session from the customer and a new session from the attacker.
The point of it is to demonstrate that a false URL attack would have been useless with MFA before, but now the false URL attack is a middle-man for getting a legitimate MFA token
The standard phishing attacks would just take your username and password, but if you had MFA, they wouldn’t be able to get in. These attacks are much more dangerous because they take the authenticated cookie and still work if the user has most forms of MFA enabled
We're using sign in risk policies with Entra ID P2 - if it detects a sign in from an anonymous IP it will prompt for a phishing resistant form of authentication (eg hardware key) or it will require that the device is intune compliant
@@mark33545 yep it’s a layered approach. When we’ve seen this attempted or executed successfully, the attackers were using vpns with anonymous IPs. You’re right that this won’t be the case for all however, and there might be very well be successful attacks that went undetected due to non-suspicious sign in properties. We’re constantly monitoring for other activities typical of these attackers, and the hope is we have enough layers to detect and block them early enough while we get phishing resistant MFA methods rolled out across our customers
Would enabling passwordless MFA alone be enough to solve this? Also, what are you seeing as their typical activities once in? I am considering rolling out TAPs so that I can require MFA for changing security info (but how long until their attack also works around that!) Do you think that would help? @@ElliotMunro
Yep I mention that at the very end. Ideally we’d have them deployed for everyone but the price and having to keep the key on you has been a barrier for many customers.
Passkeys would mitigate this while being free, no? I suppose then it's only as secure as the passkey storage. IIRC MS authenticator was adding support.
They proxy the Microsoft login screen, presenting it to the user via a fake url and intercepting the cookie and anything exchanged between the user and Microsoft on that page.
This requires the attackers OAuth app to be authorised doesnt it? If a tenancy only allows particular apps to be authorised then thats also a way of thwarting this attack
How does a whitelist approach work when employees travel quite a bit for work/vacation? It doesn’t seem feasible for a large company. Placing someone on a different policy when they complain from their vacation destination isn’t practical.
Browsers should have some ID in the cookie. If the hackers try it with another browsers it should fail because ID do not match. from the original browser that was used trying to log on with.
We’re going with a module a month on a different subject eg spotting phishing, clean-desk policy, don’t insert random usbs. Apparently it helps with retention but we’ll see how it goes.
@@ElliotMunroYou must have some dumb users, quite frankly. 22 years supporting SMB's, non-techie people and they know what phishing is, they never fall for it, and if they're unsure about something they forward it to me first.
@@ElliotMunro Also, with all of these "new subjects" that are probably enjoyable for you to teach to people, you risk overwhelming them, they won't retain any of it, they'll just freeze up and disregard it all. Keep it simple.
When the user authenticates their MFA, a cookie is created to stored their login session. The script gives us the cookie valid so we can login as them bypassing the MFA
Cookies are inherently unsecure and need to be replaced. What if websites displayed a QR code that has to be scanned by the user's phone, which was previously authenticated? Upon successful scanning of the QR code, the user completes login with biometric data from the phone's fingerprint reader or face scanner.
I don’t think it does a consistent job of it. We have safe links rolled out across all customers and are still receiving notifications of connections to these ‘adversary in the middle’ sites
No problem! The attacker is just relaying the actual Microsoft login page to the user via a fake URL and intercepting everything exchanged between the user and the login page, including the password from the user, and the authentication cookie returned by Microsoft after the user completes the MFA process..
Ironically if someone is using a keychain password manager to manage their 365 account it could be more secure as it will see that the url is incorrect and won’t fall for the trick. I’m not recommending that as a foolproof strategy though lol.
Microsoft's MFA implementation using their Authenticator app will promp the user to input a two digit number that the website preaents to the user. Compare that to your typical MFA where you have a rotating 6 digit code, or a push notification, if timed correctly, could allow a threat actor to build a fake web site to trick tthe user to input credentials followed by their authentication code that caan be relayed to the actual web page for authentication and grabbing the cookie. However, as noted by others, password managers will not fill in credentials for unknown web sites. Now, back to Microsoft's MFA implementation where the web site presents a code, I'm not a big fan of Microsoft or being forced to use their authenticator app, but they did do something better than current implementations of MFA. Sure, a relay method cm still be used if the threat actor could grab the code that the real web site is presenting to the user, then, in turn, present that on the fake web site, but it's more complicated.
i do wish to ask, for anyone that can help, at times im getting authentication codes in my gmail as if someone has tried to login to my account, does that mean that my password is compromised?
One problem is using software that requires you to be online to use it. I have all my software on my own computer, and it's all 100% mine. The internet fails a lot in my area, and I don't want to be hindered in my work or play by lame software that I can't 100% own. I don't want MFA for anything. I just want to use my own passwords. I don't use a password manager as I'm perfectly capable of keeping a list of them. I'm the only one who can access my computer, and that computer is the only device I use.
Microsoft or anyone else could easily detect an IP change, why not invalidate the session cookie upon an IP change? Yes I get there are legitimate reasons an IP would change but seems like such a simple thing they could do or at least give users the option if there is an IP change require reauthentication? Not to mention the fact the user agent, all of it. Sure the attacker could spoof that but these seem like pretty basic things to me.
They more or less have this with Entra Continuous Access Evaluation, but it needs to be more nuanced as lots of businesses use multiple outbound IPs for NAT or proxy due to port exhaustion including mobile networks, so you have to use something broader like country or login risk.
What is the open source tool you are using? calrion? Never heard of it and i can't find anything on google. Could you please put a link to it in the descritpion?
This only works because the user did not use a phishing-resistant form of 2FA ? If the user had used the MS Authenticator app (with push notification to the device), I presume this would not work.
Unfortunately this attack still works against Microsoft Authenticator with push notifications. I’ve seen a few videos testing it and it still steals the authenticated cookie
@@luckbeforeleap as far as I’ve seen/read, as long as the cookie has the valid authentication token in it Entra ID won’t do any additional checks by default to make sure it’s the same device or browser. Unless you’re using conditional access policies with continuous access evaluation to consistently check that you’re on a compliant device, trusted IP range, or allowed country etc
@@ElliotMunro You actually just answered my question, which was going to be what would happen if you had conditional access policies in place. Looks like I'll have to look into continuous access evaluation in my environment. Thanks for the great video mate.
Phishing-resistant not phishing proof. Just a question of automating the process so that the hacker automatically logs in while the user is being phished, relaying the MFA challenge realtime to the victim.
Why the devil in this day and age can’t we totally disable hyperlinks in emails?!!!? Force users to manually LOOK at the URL and copy it manually to their browser if they really want to click on it. Stop the Opps I didn’t mean to click that. But for some reason gmail and others don’t give that option?
It is an Ad but its useful as this has happened at work before, I knew how it worked in practice but it was nice to see the tools they actually use to do this.
Hmm, I think the first advice should be to not to log on pages which you have entered by clicking on a link in some email. Even more important would be to not to click on links send to you, but enter the service from its main page?
So you're gonna go into a SharePoint from the main page and find a file among millions of other files? No. You're gonna click the link in the email notification from your internal team. C'mon.
Bad actors will try to use vpns in the victims country to get around location-based conditional access policies. Using an Entra ID identity risk policy that triggers on public vpns/anonymous ips, you can require that the user re-complete the MFA authentication, which the attacker won’t be able to do.
Surely there must be a solution to this... Something that will REALLY make the user suffer without disturbing hackers at all? Bonus points if it gives the company access to the user's DNA and bank account.
I disagree. It's at least defeating the purpose of MFA and giving bad actors access to the protected resources. True, it's not the same as breaking the MFA code itself, but the result is the same.
Password Managers have been thwarting this attack for THREE DECADES, because they don't confuse similar URLs.
Good point, a password manager and the user not knowing their password would be a good defence also.
@@ElliotMunro yes, or even if they know the password, let the password manager fill it in and do what it's made for. I do that all the time and it's saved me more than once because it actually reads the ASCII URL and isn't fooled by similar Unicode characters.
Paradoxically if a user needs to login on a different URL the password may not be auto filled. (I.e logging in with a Google account to Google play vs Gmail) In this case a user may search their password manager for their login and copy it into a potentially malicious page.
Yep! Based on my experience, I've seen some older people in my family use text files instead of password managers, so I imagine such people would still fall for phishing attacks.
@@kbhasi My dad uses sticky notes that he carries around. I keep telling him to use a password manager, but he either pretends he doesn't hear anything, or starts talking about how Face ID sends your face to the government, and how he wants to wear a face mask to stop it. At this point I gave up on him, and I don't care if he loses a password or gets something stolen because I warned him, and he didn't listen.
Conditional Access policies that check client posture are huge in preventing this kind of attack, and are totally transparent, so no additional burden on the user.
Unfortunately, you can implement all the security in the world but if a user is duped into giving away access, there's not much you can do about it. Every organisation is different but securing systems is best achieved in layers. For M365, Conditional Access Policies is the way to go (ie: MFA, device filtering, named locations, restrict access to only the users who require it, etc). Hackers look for the low hanging fruit and will move on to the next unsuspecting victim .
You can use intune and conditional access, a policy that let you to connect only if your device is a corporate one.
So people are still clicking on links in unsolicited emails? You’d think by now that everyone would know not to do that.
Yes because companies send their employees unsolicited emails which contain links that the employee needs to click to access online training, for instance. Thus making the employees diligence a single point of failure and the only safeguard against attackers. I've been warning about this for years but to no avail.
That's a fair bit simplistic. Phishing has gotten very sophisticated. We regularly get hyper-specific phishing mails, like mentioning collegues and topics tailored to the individual. Incorporating information from LinkedIn, publications, public repos etc. On first and second glance super real looking! Scary stuff. 99% is identified, but it takes one well crafted mail...
@@crangosNot just this, but if they ever manage to phish someone that you’ve emailed in the past, then they’ll phish you from someone you actually communicate or work with regularly. And they’ll even hijack existing legitimate email threads to get you to click on the link. Couple that with things like punycode domain names, zero-width fonts, and other techniques, and they can easily bypass most email security tools, the most diligent and security-educated users, and the whole nine yards.
Ummmm? You know people still smoke too, right?
It'll be right m8. It's never caused any problems before cobber. 🤣👍🇦🇺
was wondering momentarily why the Clarion repo stars surged yesterday 🤣
Thanks for the shoutout Elliot. One point of clarification: Clarion, by itself, doesn't render that cool warning CSS that you see in the demo video. That's an additional feature specific to CIPP which was developed by CIPP's maintainer.
Ah yes that explains it then. We deploy clarion via CIPP :) Thanks for the great tool!
CIPP is open source right? Is it possible for us to add that functionality to Clarion ourselves? I don't need CIPP because I am just a sysadmin, not an MSP but I want this feature.
🎉 great video. What about the Azure to Azure emailing using Powershell and Microsoft direct send. Most environments aren’t preventing these. You could block hard fails for SPF. Reject messages that aren’t encrypted using TLS and some others.
It would require additional backend work for Microsoft, but the cookie or token that they issue out could contain the IP address that requested the token/cookie and they would have to validate that part during the Auth process that every request made matches the IP address from within the cookie or token.
It doesn’t work since IP addresses can change on mobile networks, for one example. IP geolocation can be effective though.
@@rezwhap that's true, I didn't think about phones. Maybe you can bypass it if you have the app, but still.
There are still bypasses to this even if you did it. The attacker would only need to proxy your login from their own IP and then they own the session, not you. MFA is good, but it isn’t foolproof. Passwordless (e.g., FIDO2) is the future.
Perhaps a country match check?
In this example the attacker is using their own IP to connect. The victim never connected to m365. They gave both authentication tokens to the attacker and the attacker passed them onto m365 to get the auth cookie.
This is why I don't even know the passwords I use. I store them in the browser and if the link doesn't match then I can't even enter the password if it's not saved.
And you store them in your browser? 🤔
@@AceOfRockShould be ok if encrypted with a primary password like Firefox does.
@@sofiedotcafe Hope your browser never ever loses track of its data like Firefox occasionally does after an auto update. I recommend backing up your profile from time to time, or using an add-on that syncs the data somewhere.
@@emurphy42 Yea, I mean, I use Firefox Sync but yeah.
Though, this does seem to happen on Linux?
@@sofiedotcafeAt some point the password needs to be decrypted no? Or is it sent to the remote side encrypted? I don't think that it is. Would not be hard to pull that out of memory from a compromised system.
You would think that the two factor cookie would only be valid for one login attempt for that device, with that browser with that ip address. If two factor authentication is being used it already means something is unusual about the login.
All this cookie talk is making me hungry.
10-15 years ago or so I gave a presentation at a university lecture hall “On The Security of Systems and Applications”. One of the audience nearly sued me. Of course I ran a NAT hijack of that segment of the campus network. Of course I ran automatic MITM session hijack over that stream of data. Of course I had software automatically posting as captured users, on their own accounts, that “I should probably pay more attention during a security talk.”
Opening the presentation by sending an e-mail to everyone present, from Bill Gates, containing a one trillion dollar signed PDF refund notice from Amazon. That… left a few jaws on the floor. But there were still people who couldn’t resist Facebook or Twitter while I presented. Come on, children. Be smarter. (These were not actually children.)
Does this attack work if the User is using their registered Microsoft Authenticator app as 2FA? When my MSA wants to check my identity they display a number on the screen and ask me to open my MS Authenticator app and click the corresponding number from the list on the screen in the Authenticator app. Seems to me this approach would foil this MITM attack?
It still works. The hacking tool is logging into the real m365 site in the background and grabs the session cookie when it's done. The user will see the Auth pop up on the app as usual, and click ok. So it doesn't matter which second factor is used, if the user is tricked, the exploit works.
@@cad4246there is a new feature you can turn on which shows the location of the request, it wont match the user and a savvy user would realize that. Problem is, a savvy user wont be logging in a fake site to begin with!
Only if you don't pay attention. The app will tell you the browser and location of the login request. This attack will make the request from the attacker's computer and you will find the mismatched information. However the attacker also do know which city and browser you are using and is possible to proxy the request to try to keep it the same, so the only indication they cannot spoof is the IP address so you will have to pay attention to that.
Fido/security keys/passkeys do provide safety in these circumstances
Surely Microsoft are issuing takedowns on the malicious domains? If so how quickly are they able to react and create new ones? Would seem to me the effectiveness of this technique would reduce the more unlike the original domain it becomes
One threat I encountered was being protected by Cloudflare captcha and proxy. Email scanner couldn't even scan the link to the bogus login domain.
The evilginx tool can be hosted on a private server by anyone, and they can register any domain they like for their phishing URLs. Microsoft’s defender for endpoint does generate alerts when a device connects to a site recognised as an ‘adversary in the middle’ but it’s a whack a mole approach where new domains aren’t identified and blocked right away.
Couldflare doesn't take down malicious domains or malicious content in a timely manner. It's effectively up for a month even if it's reported.
I was surprised you didn't mention this is an "adversary in the middle" attack in the video. Takes me back to my CS days 25 years ago!
Why not encrypt the IP address or location info in the cookie and check if it matches the users information
I've bought many cookies, but I didn't know how the 2fa would get bypassed. Good video 👍
Great video Elliot!
I've set up Clarion and an instance of Evilginx to test this out. Clarion detects the malicious URL but I don't know how to change the CSS of the login page to display the warning, how did you manage to do that? Could you point me in the right direction? Also, can Clarion be used for production, I would like to set this up so users get warned when accessing a proxy page of the microsoft login.
We used a tool called CIPP to deploy it as an MSP, but from what I can see on clarion’s GitHub guide, you go to the company branding setting in Entra ID and update the CSS there.
Does ms defender and safe Url feature detect dodgy link? @@ElliotMunro
Thank you algorithm for this video. Liked and subbbed!
Wonder how long until passkeys save us from this nightmare?
Literally the only times I click links in my email is after making a new account somewhere and after ordering something (when I'm not using Amazon). I ignore everything else
Can setting policies like Impossible travel detect and block sign-in attempts that occur from geographically distant locations within a timeframe that's impossible for normal travel ?
Don’t forget thought that a user may sign in from their home, then vpn and or Remote Desktop into another computer on a network in a different distant location which could seem like impossible travel for a human but normal for internet traffic.
It might be worth considering having the Mfa device location be tracked but then there are other possible issues like privacy, and false positives locking you out too.
Yep, impossible travel alerts will be generated by these attacks if the user's company has Defender for Cloud Apps, and conditional access policies that block the attackers countries will stop it as well. Attackers can impersonate a victims' country with VPNs, so other methods need to be used to stop this. Eg stricter conditional access policies with continuous access evaluation based on device compliance/allowed countries, phishing resistant MFA, identity risk policies etc
And so Microsoft doesn't have an IP geolocalization based protection in order to avoid this? I can remember a few services have it.
They do, it's call conditional access, but it doesn't take place until after authentication occures.
Does the attacker need to login within the ~30-60s before that particular MFA number expires? or does the cookie persist beyond that
Why does a cookie work on another device? Seems it should be tied to the hardware
Or at least the IP address.
Its not easy to bind cookie to hardware addresses. That not only difficult but could cause lot more sophisticated attacks
The cookie was generated on the attacker's device not the victim's.
The victim is tricked into providing password and then completing mfa. Attacker is connecting to the real m365 themselves, pass through the password, and then just waits a moment for the user to do the MFA.
The tool then outputs the cookie at the end for the attacker to use on the same device.
Firstly, great vid, thank you. Blocking countries is great...until the Bad Actor routes in via a domestic IP address, like we had recently. How about Phishing Resistant MFA?
This may be a dumb question and I'm missing the obvious, but how does this fake form know the user's cell phone number to send them the MFA code? Wouldn't the user's account already need to be compromised in order for the attacker to know the number? Or is it assumed that some other social engineering has taken place to acquire it?
When the actual login form gets the number returned then you get it too, when you mimick the flow in the phishing form
The form doesn not know the users details. The tool does the first part of the logon in the background.
This triggers are real SMS to user.
The user gets the txt and then they enter the CODE in the fake CODE screen.
Now the hacker has password and the an actual live code good for 30 secs.
Too easy.
The problem remains dickheads clicking on fake links to begin with.
Hard to protect people from themselves.
@@Gebesprobably the same way they can copy the branding etc
Thanks. So is this an actual login form from Microsoft just embedded into a fake website which then uses the malicious software to capture the keystrokes? @@Gebes
@@DeronSizemore that's right, the evilginx tool presents the actual Microsoft login screen to the user, but intercepts all information exchanged to and from Microsoft and the user, including the authentication cookie
Doesn't something like Microsoft Sentinel have the capability to force a reset of your password if it detects abnormal access to company resources (at least in Azure)?
What if the user never recieved a prompt to setup MFA, Can the hacker setup MFA for that user?
Hi, what's the link to the clarion tool? Thanks!
Thanks, interesting. Do passkeys help in this situation?
Yep passkeys would help prevent this attack
It comes down to URL obfuscation. Comes down to people not reading again, which has been a problem since the dawn of the computer age.
Why can’t they session to a geo Location ip, if ip is completely different then invalidate the session,
In regards to AI tooling for phising what are you using?
Great information and easily digestible. Wouldn't a possible answer make six digit 2FA codes single use? It's my understanding that 2FA codes (currently) rotate through an authentication algorithm on a 60s timeframe, but that's for a single-dimensional model. If each 60s timeslot was then vectored so the first request generated the "standard" 2fa, but immediately expired that token and algorithmically generated a new token - the attacker would not have the public/private key combo necessary to follow that sequence, so the stolen 2FA key would be denied as "already used". Only the owner of the Public/Private pair would know the next key in the sequence. Now granted, it would be a race condition between the attacker and authorized user at that point. To my thinking, that should plug all the holes? And yes, using a password manager for all of this would solve everything, but good luck getting Granny to sign on to that model...
The token is single use, but the tool is presenting the login information to Microsoft as the user logs in (thats how it knows the user mobile number). Once the token is presented they get the cookie
So it starts when you click a fake log in link disguised as a genuine email sender(microsoft, google, etc.)?
So is this possible at all without falling for a phishing link? we have users claiming they never clicked a link and we're seeing this.
Why are the cookies not bound to the client ip address?!
Thank you for your service!
This was an obvious attack from the inception of how MFA is implemented and our current PKI-centric authentication models. I created a new protocol that came naturally from my semantic version control approach that utilizes Merkle DAGs/hypergraphs. My driving use case wasn't security, but the transactional nature of exchanging graphs was needed and the authn side of it is a natural layer on top of this transactionality. The mechanism works similarly to how today's sphincs algorithm works, and it has qualities of the double-ratchet mechanism used in signal's encryption protocol. Unfortunately, security people are pretty hoity toity and don't want to stick their head out of the box to make a lot of money. Let somebody else make all that money, right?!
Does this vulnerability still exist with on-premise 2fa deployment?
How about doing the only thing that seems to work for companies like Microsoft/Google whitepapers ? Don't rely on user URL recognition and mendate U2F with FIDO2 keys which enforces URL signature by design ? (For Microsoft EntraID required advanced authentication package a few years ago). Security awareness is cute for feel good compliance but i have never seen actually work in red teaming. It doesn't work at scale as 1 employee in 10 000 spam is enough to get a beachhead in a company (salary/dresscode or more salacious company product info leak and you always get a few hundred people who will click no matter the training).
As an MSP we’ve got to work with our customers to roll out appropriate security measures. FIDO2 keys are an ideal solution and we use them internally, however the price, change of process, and trust in other MFA methods has been a barrier for some small businesses. Our approach to address attacks like these is to first remediate with low user impact changes on the services we manage for customers, and plan the roll out of higher user impact changes during customer meetings. While its effectiveness can be debated, security awareness training has its benefits - it’s requested by insurers here in Australia for Cyber Insurance and is part of the CIS Controls framework that we build our services around.
idgi, so basically dont click sketchy links?
The whole point is that ppl don't realise the links are sketchy
Don't click on any links in email from anyone. If you don't recognize the link, Google it to see if anyone else has had a problem. If not, type the URL into your browser manually.
At least you ended with what you should be recommending in todays day and age, FIDO credentials, hardware bound passkeys(security keys like yubikey) and zero trust. I think going password less should be a focus with phishing resistant MFA by using both syncable & hardware bound passkeys is the future
Allow list: if issue identified: block general region (for a while) & inform relevant region authority as to why.
?
Would using a hardware token not help here?
Where do i click on a false u r l? In all instances i use a company installed icon. (Phone&computer)
I’ve been receiving at least three times a week request for change the password for my Microsoft
That MFA implementation by Microsoft is really not up to par!
Our system only allows an MFA code to be used once. Similar to how you can associate an IP address with a session, we can also record the 'timecode' (epoch % 30) for each account login.
When a user successfully authenticates, we not only record their IP address but also the timecode.
If there's already an authenticated session with that timecode, we reject the second attempt. Additionally, our system essentially creates a 'mutex' based on the email used. This means that if a second session with the same email is initiated, that request is blocked until the first authentication session is completed, ensuring that simultaneous logins are not possible. This provides a straightforward way to prevent a user from being authenticated twice using the same code...
You've missed the evil genius of how this software circumvents the MFA. The MFA code here is only used once, always from the attacker's IP address, and without delay; the user types it into a form that submits it to the attacker's software, and the attacker's software sends it on to Microsoft's login server only once without storing it. The magic happens when Microsoft's login server responds with the cookies that the customer's browser will use in the future, but they never reach the customer's browser (or IP address). They're kept by the attacker, and can be copied straight into the attacker's browser, still only in one place with the right IP address and timing.
Instead of getting the cookies, the customer gets a redirect to the real Office home page. They were probably already logged in, so they don't notice anything going wrong.
@@CareyEvans but wouldn't 2 logins from different ips but the same session ID be detected by Microsoft. I mean- 2 identical session IDs should not even be permitted. ??? It doesn't sound like it would be difficult to check for at Microsoft's end.
@@lynskyrdThe customer's existing session ID cookies are safe and untouched; there's malware that steals them, but that's a completely different problem.
The new session ID cookies from this attack never leave the attacker's control, so there's nothing Microsoft sees except an old session from the customer and a new session from the attacker.
Always type the URL yourself.
Just to be clear, this is a standard false url attack, the mfa part is moot.
The point of it is to demonstrate that a false URL attack would have been useless with MFA before, but now the false URL attack is a middle-man for getting a legitimate MFA token
The standard phishing attacks would just take your username and password, but if you had MFA, they wouldn’t be able to get in. These attacks are much more dangerous because they take the authenticated cookie and still work if the user has most forms of MFA enabled
Could you let me know what feature you intend on using to require stricter authentication when signing in with a VPN?
We're using sign in risk policies with Entra ID P2 - if it detects a sign in from an anonymous IP it will prompt for a phishing resistant form of authentication (eg hardware key) or it will require that the device is intune compliant
@@ElliotMunrothat won’t work, for example, my vpn is a cheap vps i have in another country, the hackers might be as well.
@@mark33545 yep it’s a layered approach. When we’ve seen this attempted or executed successfully, the attackers were using vpns with anonymous IPs. You’re right that this won’t be the case for all however, and there might be very well be successful attacks that went undetected due to non-suspicious sign in properties. We’re constantly monitoring for other activities typical of these attackers, and the hope is we have enough layers to detect and block them early enough while we get phishing resistant MFA methods rolled out across our customers
Would enabling passwordless MFA alone be enough to solve this? Also, what are you seeing as their typical activities once in? I am considering rolling out TAPs so that I can require MFA for changing security info (but how long until their attack also works around that!) Do you think that would help? @@ElliotMunro
Why not add FIDO authentication to your toolbox?
Yep I mention that at the very end. Ideally we’d have them deployed for everyone but the price and having to keep the key on you has been a barrier for many customers.
Passkeys would mitigate this while being free, no? I suppose then it's only as secure as the passkey storage. IIRC MS authenticator was adding support.
@@LimitedWard good point, switching to relatively free passkeys is a great solution that I should’ve mentioned
Support for phones as keys is being worked on
Maybe this is a stupid question, but how are the attackers getting the cookie?
They proxy the Microsoft login screen, presenting it to the user via a fake url and intercepting the cookie and anything exchanged between the user and Microsoft on that page.
What don't you also restict access to registered company devices.
3:51 What is this app/service that detects potential phishing login pages? Where can I get more info on it?
The tool is called Clarion by HuskyHacks, I just added a link to the description
I just never click on login type websites from an email - even if I'm expecting it from the sender.
This requires the attackers OAuth app to be authorised doesnt it?
If a tenancy only allows particular apps to be authorised then thats also a way of thwarting this attack
Did he say they are using oauth?
Implement Steve Gibson's SQRL
How does a whitelist approach work when employees travel quite a bit for work/vacation? It doesn’t seem feasible for a large company. Placing someone on a different policy when they complain from their vacation destination isn’t practical.
*allowlist
@@morbau11 Whitelist. Don’t be so fragile and assume everything that refers to color is somehow low-key racist. How utterly pathetic.
Browsers should have some ID in the cookie. If the hackers try it with another browsers it should fail because ID do not match. from the original browser that was used trying to log on with.
MONTHLY security training for the staff? I think every 6 months should be enough.
You would think so, but experience tells me otherwise.
Staff will definitely ignore training given every month! Same way that forcing regular password changes leads to weaker passwords.
We’re going with a module a month on a different subject eg spotting phishing, clean-desk policy, don’t insert random usbs. Apparently it helps with retention but we’ll see how it goes.
@@ElliotMunroYou must have some dumb users, quite frankly. 22 years supporting SMB's, non-techie people and they know what phishing is, they never fall for it, and if they're unsure about something they forward it to me first.
@@ElliotMunro Also, with all of these "new subjects" that are probably enjoyable for you to teach to people, you risk overwhelming them, they won't retain any of it, they'll just freeze up and disregard it all. Keep it simple.
Sorry how do they get the code from your phone? I didnt understand that part
When the user authenticates their MFA, a cookie is created to stored their login session. The script gives us the cookie valid so we can login as them bypassing the MFA
Cookies are inherently unsecure and need to be replaced. What if websites displayed a QR code that has to be scanned by the user's phone, which was previously authenticated? Upon successful scanning of the QR code, the user completes login with biometric data from the phone's fingerprint reader or face scanner.
Detect IP addresses. Some banks do it. The session keeps the IP address. Different IP? Cookie is trash.
Is this something SafeLinks would catch if it was turned on for the organization?
I don’t think it does a consistent job of it. We have safe links rolled out across all customers and are still receiving notifications of connections to these ‘adversary in the middle’ sites
@@ElliotMunro Thank you, thats good to know going forward!
Apologies for my stupidity but how the victim is getting the code if the victim is not in the Microsoft Page?
Thanks
Because of a stored previous authenticated session kept in the browser as a cookie.
No problem! The attacker is just relaying the actual Microsoft login page to the user via a fake URL and intercepting everything exchanged between the user and the login page, including the password from the user, and the authentication cookie returned by Microsoft after the user completes the MFA process..
Ironically if someone is using a keychain password manager to manage their 365 account it could be more secure as it will see that the url is incorrect and won’t fall for the trick. I’m not recommending that as a foolproof strategy though lol.
Cookie session hijacks are mad scary
I work in a MSP, I would share this with my team. but the won't listen. The Company has horrible ethics
Microsoft's MFA implementation using their Authenticator app will promp the user to input a two digit number that the website preaents to the user. Compare that to your typical MFA where you have a rotating 6 digit code, or a push notification, if timed correctly, could allow a threat actor to build a fake web site to trick tthe user to input credentials followed by their authentication code that caan be relayed to the actual web page for authentication and grabbing the cookie. However, as noted by others, password managers will not fill in credentials for unknown web sites.
Now, back to Microsoft's MFA implementation where the web site presents a code, I'm not a big fan of Microsoft or being forced to use their authenticator app, but they did do something better than current implementations of MFA. Sure, a relay method cm still be used if the threat actor could grab the code that the real web site is presenting to the user, then, in turn, present that on the fake web site, but it's more complicated.
Logging in with a passkey would've thwarted this attack.
i do wish to ask, for anyone that can help, at times im getting authentication codes in my gmail as if someone has tried to login to my account, does that mean that my password is compromised?
Mr. Beast
Or… just require all users to use passkey or fido
Don’t. Click. Links. In. Emails. Ever. Ever. Ever.
This is exactly why I use Microsoft ZERO password authentication 😊
One problem is using software that requires you to be online to use it. I have all my software on my own computer, and it's all 100% mine. The internet fails a lot in my area, and I don't want to be hindered in my work or play by lame software that I can't 100% own. I don't want MFA for anything. I just want to use my own passwords. I don't use a password manager as I'm perfectly capable of keeping a list of them. I'm the only one who can access my computer, and that computer is the only device I use.
Microsoft or anyone else could easily detect an IP change, why not invalidate the session cookie upon an IP change? Yes I get there are legitimate reasons an IP would change but seems like such a simple thing they could do or at least give users the option if there is an IP change require reauthentication? Not to mention the fact the user agent, all of it. Sure the attacker could spoof that but these seem like pretty basic things to me.
They more or less have this with Entra Continuous Access Evaluation, but it needs to be more nuanced as lots of businesses use multiple outbound IPs for NAT or proxy due to port exhaustion including mobile networks, so you have to use something broader like country or login risk.
What is the open source tool you are using? calrion? Never heard of it and i can't find anything on google. Could you please put a link to it in the descritpion?
It’s called Clarion by HuskyHacks on GitHub. I’ll update the description with a link when I’m back at my pc :)
This only works because the user did not use a phishing-resistant form of 2FA ? If the user had used the MS Authenticator app (with push notification to the device), I presume this would not work.
Unfortunately this attack still works against Microsoft Authenticator with push notifications. I’ve seen a few videos testing it and it still steals the authenticated cookie
@@ElliotMunro But the cookie is tied to the device and won't be accepted by Microsoft Entra if it comes from another device ?
@@luckbeforeleap as far as I’ve seen/read, as long as the cookie has the valid authentication token in it Entra ID won’t do any additional checks by default to make sure it’s the same device or browser. Unless you’re using conditional access policies with continuous access evaluation to consistently check that you’re on a compliant device, trusted IP range, or allowed country etc
@@ElliotMunro You actually just answered my question, which was going to be what would happen if you had conditional access policies in place. Looks like I'll have to look into continuous access evaluation in my environment. Thanks for the great video mate.
Phishing-resistant not phishing proof. Just a question of automating the process so that the hacker automatically logs in while the user is being phished, relaying the MFA challenge realtime to the victim.
Why the devil in this day and age can’t we totally disable hyperlinks in emails?!!!? Force users to manually LOOK at the URL and copy it manually to their browser if they really want to click on it.
Stop the Opps I didn’t mean to click that.
But for some reason gmail and others don’t give that option?
Long ad 🤦♂️
This was initially a customer facing video for our existing clients that’s taken off :)
It is an Ad but its useful as this has happened at work before, I knew how it worked in practice but it was nice to see the tools they actually use to do this.
Hmm, I think the first advice should be to not to log on pages which you have entered by clicking on a link in some email. Even more important would be to not to click on links send to you, but enter the service from its main page?
So you're gonna go into a SharePoint from the main page and find a file among millions of other files? No. You're gonna click the link in the email notification from your internal team. C'mon.
@@ewicky Well, if you ignore/mock basic security measures then I can't help you.
Mfa is an important component, but it cannot be relied on alone! Augment with conditional access and geo fencing policies 👍
Dude first video in 3 years?
haha yes I'll make a habit of posting more now - this one's taken off :)
as usual, the weakest point are incompetent people.
Leonardo Gateway
Fuck, this is happening to me right now. Wtf.
How do you recognize a VPN ? Are you blocking "hackers" with public VPNs? Lol
Bad actors will try to use vpns in the victims country to get around location-based conditional access policies. Using an Entra ID identity risk policy that triggers on public vpns/anonymous ips, you can require that the user re-complete the MFA authentication, which the attacker won’t be able to do.
❤
Hackers are not breaking in, script kiddy criminals as asking idiots for their credentials and the idiots provide.
Surely there must be a solution to this... Something that will REALLY make the user suffer without disturbing hackers at all? Bonus points if it gives the company access to the user's DNA and bank account.
Donnelly Mills
Phishing isn’t hacking, it’s social engineering… hacking is specifically the penetration of software or hardware using brute force.
fishy fishy
Scary.
😂😂😂 99% time- its stupid bad users not the bad technology 😂😂😂😂.
Hahaha the whole country is in danger
Successful use of a phishing attack does not equal “breaking into MFA”. Your video subject is deceptive and dishonest.
He didn't say breaking into MFA, he said breaking into MFA enabled accounts. In other words, MFA doesn't matter in this situation.
Mitchell you bully
First time on RUclips buddy?
I disagree. It's at least defeating the purpose of MFA and giving bad actors access to the protected resources. True, it's not the same as breaking the MFA code itself, but the result is the same.
@@shizziebizzI think this Mitchell guy is just projecting his own insecurities, he does work at Optus after all....
WOW! Thanks for sharing @GCIT