Wednesday, February 7, 2024

AiTM Phishing - Defender Investigation

AiTM - Phishing

Adversary in The Middle attacks seem to be on the rise and over the past few months I have seen a lot of attacks using EvilGINX and similar tools. Here is a quick guide for a first round of analysis when seeing this activity. 

The Attack

This attack vector is different to traditional phishing and a lot harder to protect users from. Upon a successful attack, the user is proxied to the site they are trying to log into, so as far as they are aware, they've legitimately logged in. This attack steals the users session cookie and bypasses any MFA protection. EvilGINX will also create a valid certificate giving the phishing site that lock we've always told users to look out for...

I won't go into the full attack here but if you want to read more there is a great talk from the creator, Kuba Gretzky, here , and a demo from John Hammond here

Analysis

I am looking at this from Microsoft Defenders point of view, mostly because all of the alerts I've seen have sourced from Defender. When an alert comes in, the first thing I do is look into the domain, in this example a phishing email was sent to the user with a link to http[:]//findmedoc[.]site. Throwing the domain into VirusTotal shows it is clean



I've found every domain in these attacks to be clean, the reason for this is that they are, it's proxying the actual login page. We want to look out for the age of the domain, in VT we can find this in the details tab.
A newly registered domain being sent as a link via email is the red flag to take action! 

Check whois records for further information.

Everything about this domain is a worry. 

Due to the Defender alert being generated from the user actually clicking the link, you might want to think about disabling the user and resetting passwords before doing any further investigation. 




We can see the user clicked the link, we also get the IP which will be useful to look for potential logins. 


Now it is very likely the attacker will pivot IP for the login, but I've rarely seen that. 

My next actions will be to just disable the user, reset and then investigate related activity. It's better to ask for forgiveness for blocking a user.. you don't want to be on the other type of call... 



Click the View Related Activity as we want to see if the attacker is in the account and what they are doing. 

First, search for the IP seen under the "Raw IP" filter



We want to look for:
Successful Log ons
Any mailbox rules being created
Sharepoint activity

The final check, as the attacker could have switched IP from the phish, we look at the account login locations, User Page > Locations > Click the number

We want to investigate, if possible, all locations. At a minimum, look at all logins from any country outside of the users normal geography. 


Hopefully this has been helpful!

AiTM Phishing - Defender Investigation

AiTM - Phishing Adversary in The Middle attacks seem to be on the rise and over the past few months I have seen a lot of attacks using EvilG...