Skip to content
Threat Feed
high advisory

Office 365 Concurrent Sessions Indicate Adversary-in-the-Middle (AiTM) Attack

An adversary may compromise user credentials and conduct an Adversary-in-the-Middle (AiTM) attack, granting them unauthorized access to an Office 365 account from multiple IP addresses simultaneously, potentially leading to data theft, account takeover, and internal phishing campaigns.

This analytic detects potential Adversary-in-the-Middle (AiTM) phishing attacks targeting Office 365 users. The technique involves an attacker intercepting and relaying communication between a user and the legitimate Office 365 service, bypassing multi-factor authentication. The attack begins by luring users to a fake login page, capturing their credentials and session cookies. The attacker can then use these stolen credentials to access the user's account, even with MFA enabled, and operate from different locations, resulting in multiple simultaneous logins from different IP addresses. This activity is significant because it can lead to data theft, account takeover, and internal phishing, severely impacting organizational security. The detection focuses on identifying 'UserLoggedIn' operations in Azure Active Directory logs, flagging sessions originating from multiple IP addresses.

Attack Chain

  1. The attacker crafts a phishing email that mimics a legitimate Office 365 communication, enticing the user to click on a link to a fake login page.
  2. The user, believing the page to be legitimate, enters their Office 365 username and password into the fake login page, which the attacker captures.
  3. If the user has MFA enabled, the attacker prompts the user to enter their MFA code on the fake login page, which is then relayed to the real Office 365 service.
  4. The attacker steals the session cookie and uses it to authenticate to Office 365, bypassing the need for further authentication.
  5. The attacker accesses the user's Office 365 account and begins to perform malicious activities, such as reading emails, accessing files, or sending internal phishing emails.
  6. The user may also legitimately access their Office 365 account from their usual location, leading to concurrent sessions from different IP addresses.
  7. Azure Active Directory logs the 'UserLoggedIn' operations, recording the different source IPs associated with the user's session.
  8. The attacker maintains persistent access to the compromised account, potentially exfiltrating sensitive data or launching further attacks within the organization.

Impact

A successful AiTM attack can have severe consequences. Victims may experience unauthorized access to their email, files, and other sensitive data stored within Office 365. Attackers may use compromised accounts to send phishing emails to other employees, leading to further compromise. The organization could suffer financial losses, reputational damage, and legal repercussions due to data breaches. While the number of victims is unknown, this attack type can broadly affect any organization using Office 365.

Recommendation

  • Deploy the provided Sigma rule (O365 Concurrent Sessions From Different IPs) to detect concurrent O365 sessions from different IP addresses by analyzing Azure Active Directory logs for 'UserLoggedIn' operations.
  • Implement MFA policies across the organization to reduce the risk of account compromise, although AiTM can bypass this control.
  • Educate users to recognize and avoid phishing emails, especially those requesting credentials or MFA codes, referencing the techniques described at https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ and https://github.com/kgretzky/evilginx2.
  • Investigate and remediate any detected instances of concurrent sessions promptly to minimize the potential impact.

Detection coverage 2

O365 Concurrent Sessions From Different IPs

high

Detects user sessions in Office 365 accessed from multiple IP addresses, indicating potential Adversary-in-the-Middle (AiTM) phishing attacks.

sigma tactics: credential_access techniques: T1185 sources: webserver, o365

O365 User Logged In From Multiple Countries

medium

Detects user sessions in Office 365 accessed from multiple countries, indicating potential credential compromise.

sigma tactics: credential_access techniques: T1185 sources: webserver, o365

Detection queries are available on the platform. Get full rules →