Create an AD sign-in honeytoken with Teams alerting
- Tutorials
- by Jacob Riggs
- 15-02-2024
This post aims to provide some insight into a new approach at tackling a particular type of phishing, and guidance on how to self-host your own honeytoken to help defend against it.
AitM (Adversary in the Middle) attacks targeting companies is nothing new. Attackers will typically recon to identify a company Azure Entra ID login page, such as the one we're commonly familiar with at https://login.microsoftonline.com, and then clone or proxy this page including all the cosmetic assets responsible for custom branding.
After cloning or proxying the page, attackers will attempt to serve this in phishing campaigns against unsuspecting employees. These cloned/proxied pages are tailored to harvest employee AD credentials and MFA tokens by means of interception, which can then be used to compromise company accounts.
A solution?
What if you could receive an immediate alert before any phishing could start? An alert that tells you the domain and IP the cloned page is hosted on? This would enable you to block access to that domain/IP before any phishing campaigns could even begin.
I recently came across an interesting blog post by Thinkst, a trusted and reputable deception technology supplier that specialises in detection engineering. They provide a number of free canarytokens, which includes the new release of an Azure Entra ID token, aimed at producing high quality alerts to help with this exact problem.
I got straight into testing this myself. In summary, the way it works is you add a piece of code to your Azure Entra ID sign-in page, then when an attacker clones and hosts that page on their own server your code detects this and sends you an alert.
For anyone interested in a simple deployment, Thinkst certainly have the best offering, and I'm a strong supporter of pretty much their whole product line. That being said, I did notice a few ways to improve the efficacy of this particular concept through a self-hosted solution. Below were my observations.
Thinkst Azure Entra ID Canarytoken
Pros
-
Super simple to deploy
-
Reputable supplier
-
Free
-
Token can be easily managed
Cons
-
Token pattern is consistent which may be easier for an adversary to identify than a self-hosted asset
-
Common privacy extensions strip the token out
-
Customer remains reliant on Thinkst to maintain hosting responsibility
My Self-Host Token
Pros
-
A bit harder for an adversary to detect
-
No detection from privacy tools (from my testing anyway)
-
Always free
-
Easier to hook directly into sending automated MS Teams alerts
Cons
-
A few more steps to deploy
-
No ability to easily manage the token
-
Requires a web server running PHP
If you're interested in self-hosting your own token, I have created a form below which will automatically create the necessary files for you to self-host.
All you need to do is:
-
Input your company name. This is used to make the token characteristics a little more convincing.
-
Input the directory path of where you want to host your static asset on your company website. I recommend creating a custom folder just for this purpose.
-
Input a Microsoft Teams webhook URL, which you can create by following the Create Incoming Webhooks guide.
Once you submit the form, the necessary files will be created in your browser, and can then be hosted as per the guidance provided once you submit the form.
Please note:
The form below executes client-side only. Files are dynamically generated by your browser using the values you submit in the form, and your browser then makes those files available for download. No submitted values, secrets, or files are sent to nor stored by my server at any time. When you close this page, any files you created but did not download while it was open will be lost.
Download the above 3 files, and host them at your specified URL path here:
Download the above CSS file.
Choose Layout, scroll down to Custom CSS, click Browse and choose the downloaded file.
Here is a summarised breakdown of the files created, which you are welcome to review yourself:
The PNG image
This is a small transparent image, which my code generates using randomised size dimensions. The reason the image uses randomised dimensions is to evade privacy focused browser extensions, which commonly flag 1px images as tracking pixels and strip them out to prevent them being served to the browser. The filename also incorporates the specified company name in a dynamic format to make it look more natural to an adversary should they clone your Azure Entra ID login page.
The PHP file
This contains the core code responsible for detection and alerting. First it ensures the image is served without delay, then it executes a number of functions responsible for checking the HTTP referer. If the referer domain is anything other than the host upon which the .php file resides or the two official domains expected from Microsoft for legitimate AD login, it will proceed to fire an alert to the MS Teams webhook you specified in the form. This alert will contain the unexpected refer domain and the IP address of that domain.
The .htaccess file
This contains a forced redirect to the PHP file for any browsers which attempt to render the PNG image. The PHP file is responsible for serving the image, and then executing the remainder of its code.
The CSS file
This contains a CSS 'background' call to fetch the PNG image from your specified web host directory path. Once this is uploaded to your Azure Entra ID login page as custom CSS, it will execute every time the page is loaded in a browser.
An example MS Teams alert when the honeytoken triggers can be seen below:
