Password Managers have been thwarting this attack for THREE DECADES, because they don't confuse similar URLs.

Conditional Access policies that check client posture are huge in preventing this kind of attack, and are totally transparent, so no additional burden on the user.

was wondering momentarily why the Clarion repo stars surged yesterday 🤣 Thanks for the shoutout Elliot. One point of clarification: Clarion, by itself, doesn't render that cool warning CSS that you see in the demo video. That's an additional feature specific to CIPP which was developed by CIPP's maintainer.

Unfortunately, you can implement all the security in the world but if a user is duped into giving away access, there's not much you can do about it. Every organisation is different but securing systems is best achieved in layers. For M365, Conditional Access Policies is the way to go (ie: MFA, device filtering, named locations, restrict access to only the users who require it, etc). Hackers look for the low hanging fruit and will move on to the next unsuspecting victim .

So people are still clicking on links in unsolicited emails? You’d think by now that everyone would know not to do that.

It would require additional backend work for Microsoft, but the cookie or token that they issue out could contain the IP address that requested the token/cookie and they would have to validate that part during the Auth process that every request made matches the IP address from within the cookie or token.

All this cookie talk is making me hungry.

This is why I don't even know the passwords I use. I store them in the browser and if the link doesn't match then I can't even enter the password if it's not saved.

🎉 great video. What about the Azure to Azure emailing using Powershell and Microsoft direct send. Most environments aren’t preventing these. You could block hard fails for SPF. Reject messages that aren’t encrypted using TLS and some others.

Thank you algorithm for this video. Liked and subbbed! Wonder how long until passkeys save us from this nightmare?

10-15 years ago or so I gave a presentation at a university lecture hall “On The Security of Systems and Applications”. One of the audience nearly sued me. Of course I ran a NAT hijack of that segment of the campus network. Of course I ran automatic MITM session hijack over that stream of data. Of course I had software automatically posting as captured users, on their own accounts, that “I should probably pay more attention during a security talk.” Opening the presentation by sending an e-mail to everyone present, from Bill Gates, containing a one trillion dollar signed PDF refund notice from Amazon. That… left a few jaws on the floor. But there were still people who couldn’t resist Facebook or Twitter while I presented. Come on, children. Be smarter. (These were not actually children.)

Firstly, great vid, thank you. Blocking countries is great...until the Bad Actor routes in via a domestic IP address, like we had recently. How about Phishing Resistant MFA?

You would think that the two factor cookie would only be valid for one login attempt for that device, with that browser with that ip address. If two factor authentication is being used it already means something is unusual about the login.

Great video Elliot! I've set up Clarion and an instance of Evilginx to test this out. Clarion detects the malicious URL but I don't know how to change the CSS of the login page to display the warning, how did you manage to do that? Could you point me in the right direction? Also, can Clarion be used for production, I would like to set this up so users get warned when accessing a proxy page of the microsoft login.

Does the attacker need to login within the ~30-60s before that particular MFA number expires? or does the cookie persist beyond that

Great information and easily digestible. Wouldn't a possible answer make six digit 2FA codes single use? It's my understanding that 2FA codes (currently) rotate through an authentication algorithm on a 60s timeframe, but that's for a single-dimensional model. If each 60s timeslot was then vectored so the first request generated the "standard" 2fa, but immediately expired that token and algorithmically generated a new token - the attacker would not have the public/private key combo necessary to follow that sequence, so the stolen 2FA key would be denied as "already used". Only the owner of the Public/Private pair would know the next key in the sequence. Now granted, it would be a race condition between the attacker and authorized user at that point. To my thinking, that should plug all the holes? And yes, using a password manager for all of this would solve everything, but good luck getting Granny to sign on to that model...

Does this attack work if the User is using their registered Microsoft Authenticator app as 2FA? When my MSA wants to check my identity they display a number on the screen and ask me to open my MS Authenticator app and click the corresponding number from the list on the screen in the Authenticator app. Seems to me this approach would foil this MITM attack?

I've bought many cookies, but I didn't know how the 2fa would get bypassed. Good video 👍

This was an obvious attack from the inception of how MFA is implemented and our current PKI-centric authentication models. I created a new protocol that came naturally from my semantic version control approach that utilizes Merkle DAGs/hypergraphs. My driving use case wasn't security, but the transactional nature of exchanging graphs was needed and the authn side of it is a natural layer on top of this transactionality. The mechanism works similarly to how today's sphincs algorithm works, and it has qualities of the double-ratchet mechanism used in signal's encryption protocol. Unfortunately, security people are pretty hoity toity and don't want to stick their head out of the box to make a lot of money. Let somebody else make all that money, right?!

Surely Microsoft are issuing takedowns on the malicious domains? If so how quickly are they able to react and create new ones? Would seem to me the effectiveness of this technique would reduce the more unlike the original domain it becomes

So is this possible at all without falling for a phishing link? we have users claiming they never clicked a link and we're seeing this.

At least you ended with what you should be recommending in todays day and age, FIDO credentials, hardware bound passkeys(security keys like yubikey) and zero trust. I think going password less should be a focus with phishing resistant MFA by using both syncable & hardware bound passkeys is the future

Just to be clear, this is a standard false url attack, the mfa part is moot.

Why not encrypt the IP address or location info in the cookie and check if it matches the users information

Thanks, interesting. Do passkeys help in this situation?

This may be a dumb question and I'm missing the obvious, but how does this fake form know the user's cell phone number to send them the MFA code? Wouldn't the user's account already need to be compromised in order for the attacker to know the number? Or is it assumed that some other social engineering has taken place to acquire it?

What if the user never recieved a prompt to setup MFA, Can the hacker setup MFA for that user?

Can setting policies like Impossible travel detect and block sign-in attempts that occur from geographically distant locations within a timeframe that's impossible for normal travel ?

In regards to AI tooling for phising what are you using?

Thank you for your service!

And so Microsoft doesn't have an IP geolocalization based protection in order to avoid this? I can remember a few services have it.

It comes down to URL obfuscation. Comes down to people not reading again, which has been a problem since the dawn of the computer age.

Doesn't something like Microsoft Sentinel have the capability to force a reset of your password if it detects abnormal access to company resources (at least in Azure)?

Literally the only times I click links in my email is after making a new account somewhere and after ordering something (when I'm not using Amazon). I ignore everything else

What don't you also restict access to registered company devices.

Why are the cookies not bound to the client ip address?!

Why does a cookie work on another device? Seems it should be tied to the hardware

How about doing the only thing that seems to work for companies like Microsoft/Google whitepapers ? Don't rely on user URL recognition and mendate U2F with FIDO2 keys which enforces URL signature by design ? (For Microsoft EntraID required advanced authentication package a few years ago). Security awareness is cute for feel good compliance but i have never seen actually work in red teaming. It doesn't work at scale as 1 employee in 10 000 spam is enough to get a beachhead in a company (salary/dresscode or more salacious company product info leak and you always get a few hundred people who will click no matter the training).

So it starts when you click a fake log in link disguised as a genuine email sender(microsoft, google, etc.)?

Does this vulnerability still exist with on-premise 2fa deployment?

That MFA implementation by Microsoft is really not up to par! Our system only allows an MFA code to be used once. Similar to how you can associate an IP address with a session, we can also record the 'timecode' (epoch % 30) for each account login. When a user successfully authenticates, we not only record their IP address but also the timecode. If there's already an authenticated session with that timecode, we reject the second attempt. Additionally, our system essentially creates a 'mutex' based on the email used. This means that if a second session with the same email is initiated, that request is blocked until the first authentication session is completed, ensuring that simultaneous logins are not possible. This provides a straightforward way to prevent a user from being authenticated twice using the same code...

Why can’t they session to a geo Location ip, if ip is completely different then invalidate the session,

Why not add FIDO authentication to your toolbox?

Would using a hardware token not help here?

Where do i click on a false u r l? In all instances i use a company installed icon. (Phone&computer)

Allow list: if issue identified: block general region (for a while) & inform relevant region authority as to why. ?

MONTHLY security training for the staff? I think every 6 months should be enough.

idgi, so basically dont click sketchy links?

3:51 What is this app/service that detects potential phishing login pages? Where can I get more info on it?

I just never click on login type websites from an email - even if I'm expecting it from the sender.

How does a whitelist approach work when employees travel quite a bit for work/vacation? It doesn’t seem feasible for a large company. Placing someone on a different policy when they complain from their vacation destination isn’t practical.

Could you let me know what feature you intend on using to require stricter authentication when signing in with a VPN?

Browsers should have some ID in the cookie. If the hackers try it with another browsers it should fail because ID do not match. from the original browser that was used trying to log on with.

This requires the attackers OAuth app to be authorised doesnt it? If a tenancy only allows particular apps to be authorised then thats also a way of thwarting this attack

Always type the URL yourself.

Ironically if someone is using a keychain password manager to manage their 365 account it could be more secure as it will see that the url is incorrect and won’t fall for the trick. I’m not recommending that as a foolproof strategy though lol.

Maybe this is a stupid question, but how are the attackers getting the cookie?

I work in a MSP, I would share this with my team. but the won't listen. The Company has horrible ethics

Cookies are inherently unsecure and need to be replaced. What if websites displayed a QR code that has to be scanned by the user's phone, which was previously authenticated? Upon successful scanning of the QR code, the user completes login with biometric data from the phone's fingerprint reader or face scanner.

Microsoft's MFA implementation using their Authenticator app will promp the user to input a two digit number that the website preaents to the user. Compare that to your typical MFA where you have a rotating 6 digit code, or a push notification, if timed correctly, could allow a threat actor to build a fake web site to trick tthe user to input credentials followed by their authentication code that caan be relayed to the actual web page for authentication and grabbing the cookie. However, as noted by others, password managers will not fill in credentials for unknown web sites. Now, back to Microsoft's MFA implementation where the web site presents a code, I'm not a big fan of Microsoft or being forced to use their authenticator app, but they did do something better than current implementations of MFA. Sure, a relay method cm still be used if the threat actor could grab the code that the real web site is presenting to the user, then, in turn, present that on the fake web site, but it's more complicated.

I’ve been receiving at least three times a week request for change the password for my Microsoft

Microsoft or anyone else could easily detect an IP change, why not invalidate the session cookie upon an IP change? Yes I get there are legitimate reasons an IP would change but seems like such a simple thing they could do or at least give users the option if there is an IP change require reauthentication? Not to mention the fact the user agent, all of it. Sure the attacker could spoof that but these seem like pretty basic things to me.

Implement Steve Gibson's SQRL

Sorry how do they get the code from your phone? I didnt understand that part

Logging in with a passkey would've thwarted this attack.

Is this something SafeLinks would catch if it was turned on for the organization?

This only works because the user did not use a phishing-resistant form of 2FA ? If the user had used the MS Authenticator app (with push notification to the device), I presume this would not work.

Apologies for my stupidity but how the victim is getting the code if the victim is not in the Microsoft Page? Thanks

One problem is using software that requires you to be online to use it. I have all my software on my own computer, and it's all 100% mine. The internet fails a lot in my area, and I don't want to be hindered in my work or play by lame software that I can't 100% own. I don't want MFA for anything. I just want to use my own passwords. I don't use a password manager as I'm perfectly capable of keeping a list of them. I'm the only one who can access my computer, and that computer is the only device I use.

Mfa is an important component, but it cannot be relied on alone! Augment with conditional access and geo fencing policies 👍

Surely there must be a solution to this... Something that will REALLY make the user suffer without disturbing hackers at all? Bonus points if it gives the company access to the user's DNA and bank account.

Don’t. Click. Links. In. Emails. Ever. Ever. Ever.

Cookie session hijacks are mad scary

i do wish to ask, for anyone that can help, at times im getting authentication codes in my gmail as if someone has tried to login to my account, does that mean that my password is compromised?

What is the open source tool you are using? calrion? Never heard of it and i can't find anything on google. Could you please put a link to it in the descritpion?

This is exactly why I use Microsoft ZERO password authentication 😊

Mr. Beast

Or… just require all users to use passkey or fido

Hmm, I think the first advice should be to not to log on pages which you have entered by clicking on a link in some email. Even more important would be to not to click on links send to you, but enter the service from its main page?

Why the devil in this day and age can’t we totally disable hyperlinks in emails?!!!? Force users to manually LOOK at the URL and copy it manually to their browser if they really want to click on it. Stop the Opps I didn’t mean to click that. But for some reason gmail and others don’t give that option?

Phishing isn’t hacking, it’s social engineering… hacking is specifically the penetration of software or hardware using brute force.

Dude first video in 3 years?

❤

Hackers are not breaking in, script kiddy criminals as asking idiots for their credentials and the idiots provide.

as usual, the weakest point are incompetent people.

Long ad 🤦‍♂️

Fuck, this is happening to me right now. Wtf.

How do you recognize a VPN ? Are you blocking "hackers" with public VPNs? Lol

Leonardo Gateway

Scary.

fishy fishy

😂😂😂 99% time- its stupid bad users not the bad technology 😂😂😂😂.

Hahaha the whole country is in danger

Donnelly Mills

Successful use of a phishing attack does not equal “breaking into MFA”. Your video subject is deceptive and dishonest.

WOW! Thanks for sharing @GCIT