detection.wiki

Detection rules › Kusto

Possible AiTM Phishing Attempt Against Microsoft Entra ID

Status
available
Severity
medium
Time window
1d
Group by
DstIpAddr, IPAddress
Source
github.com/Azure/Azure-Sentinel

'Threat actors may attempt to phish users in order to hijack a users sign-in session, and skip the authentication process even if the user had enabled multifactor authentication (MFA) by stealing and replaying stolen credentials and session cookies. This detection looks for successful Microsoft Entra ID sign ins that had a high risk profile, indicating it had suspicious characteristics such as an unusual location, ISP, user agent, or use of anonymizer services. It then looks for a network connection to the IP address that made the sign in immediately before the sign in, that may indicate a user connecting to a phishing site at that IP address and having their authentication session hijacked. Ref: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/'

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078.004 Valid Accounts: Cloud Accounts
StealthT1078.004 Valid Accounts: Cloud Accounts
Credential AccessT1111 Multi-Factor Authentication Interception, T1557 Adversary-in-the-Middle

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Rule body kusto

id: 16daa67c-b137-48dc-8eb7-76598a44791a
name: Possible AiTM Phishing Attempt Against Microsoft Entra ID
description: |
  'Threat actors may attempt to phish users in order to hijack a users sign-in session, and skip the authentication process even if the user had enabled multifactor authentication (MFA) by stealing and replaying stolen credentials and session cookies.
  This detection looks for successful Microsoft Entra ID sign ins that had a high risk profile, indicating it had suspicious characteristics such as an unusual location, ISP, user agent, or use of anonymizer services.
  It then looks for a network connection to the IP address that made the sign in immediately before the sign in, that may indicate a user connecting to a phishing site at that IP address and having their authentication session hijacked.
  Ref: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/'
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: Zscaler
    dataTypes:
      - CommonSecurityLog (Zscaler)
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - DefenseEvasion
  - CredentialAccess
relevantTechniques:
  - T1078.004
  - T1557
  - T1111
query: |
  let time_threshold = 10m;
  let RiskySignins = materialize (SigninLogs
  | where TimeGenerated > ago(1d)
  | where ResultType == 0
  | where RiskLevelDuringSignIn =~ "high" or RiskLevelAggregated =~ "high"
  | extend SignInTime = TimeGenerated, Name=split(UserPrincipalName, "@")[0], UPNSuffix=split(UserPrincipalName, "@")[1]);
  let ips = todynamic(toscalar(RiskySignins | summarize make_list(IPAddress)));
  RiskySignins
  | join kind=inner (_Im_WebSession(starttime=ago(1d), ipaddr_has_any_prefix=ips, eventresult="Success", pack=True))
  on $left.IPAddress == $right.DstIpAddr
  | where EventStartTime < TimeGenerated
  | extend TimeDelta = TimeGenerated - EventStartTime
  | where TimeDelta <= time_threshold
  | extend NetworkEventStartTime = EventStartTime, NetworkEventEndTime = EventEndTime
  | extend SrcUsername = column_ifexists("SrcUsername", "Unknown")
  | project-reorder SignInTime, UserPrincipalName, IPAddress, AppDisplayName, ClientAppUsed, DeviceDetail, LocationDetails, NetworkLocationDetails, RiskEventTypes, UserAgent, NetworkEventStartTime, NetworkEventEndTime, SrcIpAddr, DstIpAddr, DstPortNumber, Dvc, DvcHostname, SrcBytes, NetworkProtocol, SrcUsername
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: Name
      - identifier: UPNSuffix
        columnName: UPNSuffix
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
alertDetailsOverride:
  alertDisplayNameFormat: Possible AiTM Phishing Attempt Against {{UserPrincipalName}} From {{IPAddress}}
  alertDescriptionFormat: |
    Threat actors may attempt to phish users in order to hijack a users sign-in session, and skip the authentication process even if the user had enabled multifactor authentication (MFA) by stealing and replaying stolen credentials and session cookies.
    This detection looks for successful Microsoft Entra ID sign ins (in this case from {{UserPrincipalName}}) that had a high risk profile, indicating it had suspicious characteristics such as an unusual location, ISP, user agent, or use of anonymizer services.
    It then looks for a network connection to the IP address (in this case {{IPAddress}}) that made the sign in immediately before the sign in, that may indicate a user connecting to a phishing site at that IP address and having their authentication session hijacked.
    Ref: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
version: 1.0.4
kind: Scheduled

Stages and Predicates

Parameters

let time_threshold = 10m;

Let binding: ips

let ips = todynamic(toscalar(RiskySignins | summarize make_list(IPAddress)));

Derived from RiskySignins.

The stages below define let RiskySignins (the rule's main pipeline source).

Stage 1: source

SigninLogs

Stage 2: where

| where TimeGenerated > ago(1d)

Stage 3: where

| where ResultType == 0

Stage 4: where

| where RiskLevelDuringSignIn =~ "high" or RiskLevelAggregated =~ "high"

Stage 5: extend

| extend SignInTime = TimeGenerated, Name=split(UserPrincipalName, "@")[0], UPNSuffix=split(UserPrincipalName, "@")[1]

The stages below run on RiskySignins (the outer pipeline).

Stage 6: join

RiskySignins
| join kind=inner (_Im_WebSession(starttime=ago(1d), ipaddr_has_any_prefix=ips, eventresult="Success", pack=True))
on $left.IPAddress == $right.DstIpAddr

Stage 7: where

| where EventStartTime < TimeGenerated

Stage 8: extend

| extend TimeDelta = TimeGenerated - EventStartTime

Stage 9: where

| where TimeDelta <= time_threshold

Stage 10: extend

| extend NetworkEventStartTime = EventStartTime, NetworkEventEndTime = EventEndTime

Stage 11: extend

| extend SrcUsername = column_ifexists("SrcUsername", "Unknown")

Stage 12: project-reorder

| project-reorder SignInTime, UserPrincipalName, IPAddress, AppDisplayName, ClientAppUsed, DeviceDetail, LocationDetails, NetworkLocationDetails, RiskEventTypes, UserAgent, NetworkEventStartTime, NetworkEventEndTime, SrcIpAddr, DstIpAddr, DstPortNumber, Dvc, DvcHostname, SrcBytes, NetworkProtocol, SrcUsername

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventStartTimelt
  • TimeGenerated transforms: cased
ResultTypeeq
  • 0 transforms: cased
RiskLevelAggregatedeq
  • high
RiskLevelDuringSignIneq
  • high
TimeDeltale
  • 10m transforms: cased

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Nameextend
SignInTimeextend
UPNSuffixextend
TimeDeltaextend
NetworkEventEndTimeextend
NetworkEventStartTimeextend
SrcUsernameextend