Be aware of the new cookie monster – AiTM

Be aware of the new cookie monster – AiTM

So, for the ones who thought that MFA was the holy grail, bad news has arrived. Microsoft is seeing a rise in attacks based on AiTM – Adversary in The Middle. Unfortunately, these attacks have proven that MFA is not enough to protect users against credential theft, because they leverage a mechanism where users session cookies are used.

The attack

The attack requires the user to login to a server that proxies the user’s login to a Microsoft endpoint. The proxied login is through a server that saves the session cookie and enables the attacker to re-use the session cookie to login to company ressources.

This type of attack allows an attacker to obtain a session cookie that can be used to circumvent MFA AuthN. The attack steps are illustrated in the figure below.

How to prevent these types of attacks

The easiest way to protect against these types of attacks are by leveraging Conditional Access policies that only allows logins from trusted IP addresses or devices that are trusted/compliant. This will solve the issue but will also reduce users access to services, so it is recommended to test before implementing these policies.

Another way to protect against these types of attacks is to enable certificate-based sign-in or use Fido security keys for sign-in, but this requires a lot of planning and testing.

As always reach out if you want us to assist.

Table of Contents

Share this post
Search blog posts
Search
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly
Categories

Follow on SoMe