7 AzureAD identity-related protection tips for protecting against new identity attacks like OAuth theft, MFA prompt spamming, AiTM, and MFA Phishing. #azureAD #MicrosoftSecurity
Links included for more information to earlier posted blogs.
A thread🛡️
Links included for more information to earlier posted blogs.
A thread🛡️
Tip 1: MFA fatigue / MFA spamming is growing. To protect against MFA spamming enable:
- Azure MFA number matching (preview)
- Show additional context in notifications (preview)
Use Azure AD Identity Protection + response actions for medium or high risk. jeffreyappel.nl/mfa-prompt-spa…
- Azure MFA number matching (preview)
- Show additional context in notifications (preview)
Use Azure AD Identity Protection + response actions for medium or high risk. jeffreyappel.nl/mfa-prompt-spa…
Tip 2: 1/2: Adversary-in-the-middle/ AiTM attacks are growing/ detected more in the wild. Prevention using:
- Use phish-resistant MFA
- Protect attacks using Conditional Access
- Use CA: Require device to be marked as compliant/ marked as HAADJ
jeffreyappel.nl/protect-agains…
- Use phish-resistant MFA
- Protect attacks using Conditional Access
- Use CA: Require device to be marked as compliant/ marked as HAADJ
jeffreyappel.nl/protect-agains…
Tip 2: 2/2 AiTM is bypassing some MFA factors - important is tracking sign-ins from different locations using MFA and using build-in detections part of the products (later in this thread more info). Data collection is possible using Sentinel or Log Analytics for custom hunting. 
Tip 3: 1/2 OAuth Consent Phishing attempts are growing. Some prevention tips:
- AzureAD: Disable user consent and use Consent workflow
- Review existing permissions using Defender for Cloud Apps
jeffreyappel.nl/protect-agains…
- AzureAD: Disable user consent and use Consent workflow
- Review existing permissions using Defender for Cloud Apps
jeffreyappel.nl/protect-agains…
Tip 3: 2/2 Microsoft detects OAuth Consent phishing based on multiple build-in detections:
- Enable Defender for Cloud Apps alerts (search in Cloud Apps for OAuth App)
- Use AAD Identity Protection workload identities for unusual additional and leaked credentials
- Enable Defender for Cloud Apps alerts (search in Cloud Apps for OAuth App)
- Use AAD Identity Protection workload identities for unusual additional and leaked credentials
Tip 4: Use Privileged Identity Management (PIM) and go for least privilege access and always verify. Important: Privileged Identity Management is no protection when attackers use AiTM and stolen cookies. Don't trust 100% on PIM
Tip 5: Microsoft security products generate alerts. For AiTM the following alerts are important (screenshot)
- For Defender for Cloud Apps - check of the templates are correctly enabled for sending alerts
- For Defender for Cloud Apps - check of the templates are correctly enabled for sending alerts
Tip 6: Some general tips, hopefully already configured:
- Enable MFA for all users and admins
- Block legacy authentication (DON't WAIT)
- Do not expire passwords
- Enable Continuous Access Evaluation/ CAE
- Use Conditional Access based on risk signals
- Enable MFA for all users and admins
- Block legacy authentication (DON't WAIT)
- Do not expire passwords
- Enable Continuous Access Evaluation/ CAE
- Use Conditional Access based on risk signals
Tip 7: Collect AzureAD logs in Sentinel or Log Analytics. (Standalone LA possible via Diagnostic Settings)
- create additional detection / hunting rules.
Tip: @reprise_99 did a good job based on KQL with awesome identity examples. github.com/reprise99/Sent…
This is it for now
- create additional detection / hunting rules.
Tip: @reprise_99 did a good job based on KQL with awesome identity examples. github.com/reprise99/Sent…
This is it for now
• • •
Missing some Tweet in this thread? You can try to
force a refresh
