An office worker received an email that appeared to be from a vendor but was caught in quarantine and the user requested its release. It looked innocent enough, so an administrator released the email. The user clicked on the email to review the contents, which included an attached invoice.

That’s where the trouble started: clicking on the attachment launched a website that requested the worker’s username and password, which they dutifully entered. Unfortunately, there was nothing legitimate about the email, which was phishing for just such an opportunity.

But it got worse — the user had unwittingly given the attacker the ability to go one step further and launch an adversary in the middle (AiTM) attack, the ultimate business email compromise that seeks to gain entry to banking or other financial transactions. These attacks not only grab credentials, but they can also snare tokens to bypass multifactor authentication.

AiTM attacks are insidious and can have serious consequences

Several levels of security had failed, and the attackers were now able to infiltrate the network stealthily, impersonate the target and access email conversations and documents in the cloud.

“In a stolen session cookie replay attack, the attacker uses the valid stolen cookie to impersonate the user, circumventing authentication mechanisms of passwords and MFA,” Microsoft notes in its blog on the subject.

“In this campaign, we observed that the attacker signed in with the stolen cookie after a few hours from an IP address based in the United States…. In addition, the attacker generated a new access token, allowing them to persist longer in the environment.”

Once inside, attackers can add new authentication methods to bypass those already in place, often with the goal of building a rule to divert certain mail so that the user or owner of the mailbox doesn’t see it being sent.

Preventing AiTM attacks requires a combination of techniques

To prevent AiTM attacks, Microsoft recommends using security defaults as a baseline set of policies to improve identity security posture. For more granular control, you’ll want to enable conditional access policies; implementing risk-based access policies is particularly helpful.

“Conditional access policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins,” according to Microsoft.

“Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, trusted IP address requirements, or risk-based policies with proper access control.”

Invest in advanced anti-phishing solutions as a front-line defense, specifically solutions that monitor and scan incoming emails and visited websites. Ensure that you use SmartScreen and other technologies that block malicious websites.

Investigate suspected malicious activities, hunting for sign-in attempts with suspicious characteristics and enable rule sets that look for unusual activity or other more obvious attack processes that identify risky locations, malicious ISPs, unusual user agents, and the use of anonymizer services.

Investigation and clean-up after an AiTM attack

While Microsoft’s AiTM blog discusses what you should do to prevent business email compromise, it’s a bit weak on the specifics of how you should investigate and clean up after the potential attack.

You want to ensure your log files for Microsoft 365 are offloaded to a security event and incident management (SEIM) platform and review the Entra or Azure sign-in logs with interactive and non-interactive logins and review any location that isn’t “normal.”

Note that if the user is on a cellular connection, location may be difficult to determine as normal and may differ geographically from the IP addresses you are used to. It may take some time to correlate what the user was doing and what device they were logging on to. Ensure that you interview and correlate the dates, times, and events with what the user was doing and document accordingly.

Then download the Unified Audit logs at http://compliance.microsoft.com. From here you can investigate what the attacker did, especially if you have a subscription to the full Microsoft 365 suite that includes OneDrive and Teams.

You’ll want to review activities in Outlook, Teams, SharePoint, OneDrive, Power Automate, and any other corporate assets that the user had access to. Ensure that you obtain the logs and keep them for the compromised user in your SEIM or other device.

Determine the depth and severity of the attack

Depending on the impact of the attack, start the cleanup process. Start by forcing a password change on the user account, ensuring that you have revoked all tokens to block the attacker’s fake credentials.

If the consequences of the attack were severe, consider disabling the user’s primary account and setting up a new temporary account as you investigate the extent of the intrusion. You may even consider quarantining the user’s devices and potentially taking forensic-level backups of workstations if you are unsure of the original source of the intrusion so you can best investigate.

Next review all app registrations, changes to service principals, enterprise apps, and anything else the user may have changed or impacted since the time the intrusion was noted. You’ll want to do a deep investigation into the mailbox’s access and permissions. Mandiant has a PowerShell-based script that can assist you in investigating the impact of the intrusion

“This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity,” Mandiant notes. “Some indicators are ‘high-fidelity’ indicators of compromise, while other artifacts are so-called ‘dual-use’ artifacts.”

“Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. Analysis and verification will be required for these.”

Mandiant does caution that the tool “will not Identify a compromise 100% of the time, or tell you if an artifact is legitimate admin activity or threat actor activity.”

OneDrive users should get an additional layer of scrutiny

If your user is accessing Microsoft’s OneDrive, you’ll want to check the file dates of files on the cloud storage to see if anything has been tampered with or impacted by malware. Check Power Automate and Power Apps to determine whether post-exploitation command and control or custom command and control has been set up for the user in question.

Next, ensure that the user’s single-sign-on impact has been limited and that you review the impact at http://myapps.microsoft.com. Then, as with consumer devices noted above, similarly verify that all registered or joined devices for the user are legitimate in http://admin.microsoft.com and http://entra.microsoft.com.

It’s strongly recommended that you implement Center for Internet Security settings based on the license you have. Some of these recommended settings cannot be done with the cheapest Microsoft 365 license and require a Microsoft 365 Business Premium subscription at a minimum.