How to use Microsoft Entra | Internet Access to prevent AiTM attack(s)

Derk van der Woude
4 min readAug 1, 2023

--

While BEC (Business E-mail Compromise) attacks are prevented by Number Matching Multi Factor Authentication (enabled on global scale by Microsoft on May 8, 2023), AiTM (Adversary in The Middle) attacks are the next challenge.

AiTM is a type of phishing attack where the session cookie is stolen via a ‘in The Middle’ type of attack (e.g. EvilGinx; MiTM / AiTM) where the session cookie is replayed on the attacker’s computer to access the Office 365 (e.g. Exchange Online) bypassing credentials and MFA verification.

The current solutions to prevent AiTM phishing are: phish-resistant MFA (e.g. FIDO2, Windows Hello for Business or Certificate based authentication) or Entra ID | Conditional Access for Compliant Devices (Intune & Microsoft Defender for Endpoint) without exceptions like web access.

Microsoft Entra | Internet Access

With the Preview release of Microsoft Entra | Internet Access, there is a new network feature called Entra ID | Conditional Access for Compliant Networks. The 3rd solution to protect against AiTM attack(s) which has less impact (only a compliant network is required) compared to Compliant Devices and can be deployed for a scoped set of users (PoC or Pilot).

Disclaimer: Entra ID | Conditional Access for Compliant Devices prevents session cookie replay, but does not prevent phishing itself.

Requirements:
· Microsoft Entra | Internet Access
· Microsoft Entra ID | Conditional access policy for Compliant Networks
· Global Access Secure Client on the computer (supported O.S. Windows 10/11)

License requirements unknown atm. but I hope this feature will be part of the Entra ID P1 since it’s Conditional Access related. The more advanced features probablly will get their own license SKU

Setup

This part describes the setup of the required components of the Entra ID Compliant Network policy.

Setup | Global Secure Access
Enable Microsoft Entra | Global Secure Access -> Global settings -> Adaptive Access

This setting creates a new location in Entra ID | Conditional Access -> Named locations.

The All Compliant Network locations are all devices with the Global Secure Access Client (Branch Office is out out-of-scope of this document) deployed.

Setup | Global Secure Access
Enable Microsoft Entra | Global Secure Access -> Connect -> Traffic forwarding

If you do not enable Microsoft 365 profile, you will get an error message: Global Secure Access Client — Disabled by policy

Setup | Conditional Access
Create an Entra ID | Conditional Access policy with the following settings.

Assign the policy to selected user(s) (expand after test) and exclude all O.S. except Microsoft Windows (O.S. support for Android, iOS and MacOS coming soon imho).

Keep in mind: Android, iOS and MacOS are not supported atm. (can be abused if used to access portal.office.com).

Setup | Client
Install the GSA (Global Secure Access) Client on all devices in-scope (also the installer only supports Windows 10/11 atm.)

The client can be download from the Global Secure Access portal (Devices -> Clients)

After the client is installed, it is visible in the System Tray.

Ping to outlook.office.com verifies the traffic is routed via Microsoft’s SSE (Secure Service Edge).

Client Experience

The result on a device with the GSA (Global Secure Access) Client installed and in-scope of the policy: Outlook- and SharePoint Online can be accessed from a compliant network (= a device which traffic is routed via Microsoft’s SSE).

A stolen session cookie replayed on another computer will get the message You cannot access this right now

From a support matrix (Azure AD joined vs. BYOD and GSA Client enabled vs. not available).

Ps. since the product is in Preview always test before you deploy in production environments

--

--