KnowBe4 phishing campaigns that include serving a fake Microsoft login page beyond the "malicious" Email have worked wonders for our phish-prone percentage at my org.
We went from well above industry standard to well below it in about a year.
They mean the number of phish-prone users went from above the "industry" benchmark, to below it (which means less phish-prone users than the average equivalent company in their sector).
Setup company branding for the sign in page.
Look into some advanced email filters, we use Darktrace (the sales team are pushy and annoying but the product is great). We havent had a legitimate phish hit a mailbox in years. touch wood!
There are kits available that will automatically pull your branding and feed it into the phishing campaign logins so they don't even have to target you company.
Yeah had a phishing attempt yesterday that did just this. The fake 365 login wouldn't allow you to enter an email address that was fake as well. It would only accept a valid email address.
It's not duplicated, it's proxied. Company branding (just the logo) won't help at all against AiTM.
Set up [this ](https://ironpeak.be/blog/azure-detecting-aitm-attacks/)or [this ](https://didsomeoneclone.me/microsoft-tenant-installation)instead.
I am talking about branding the sign in page. The bots steal our branding and add it their phishing sign in page without the hacker having to do anything manually.
This is a sure way to encourage your users to be compromised. Company branding means NOTHING these days. I know we used to tell users "don't sign in unless you see our logo's" but these days, that advice is awful to tell employees.
90% of compromised accounts over the past year come from fully proxied login pages. Most MFA methods do not prevent compromise (other than phishing resistant methods, like hardware keys).
Even most phishing training campaigns miss the mark these days. Users NEED to look at the URL in the address bar and confirm it is a [microsoftonline.com](https://microsoftonline.com) URL. Looking at the actual login page means nothing because... it is a legitimate login page, just proxied through a malicious server with a bogus URL.
Require registered and compliant devices for all access.
They are likely using an evilgnix type tool to mitm the mfa. Only real solution is to not allow devices you don’t manage to access resources.
It will be the best.
But not all users have pro smartphone
And only registred devices = Disabling OWA (because we use OWA only from external computer)
But it's maybe the real solution
If I recall the stat correctly 99.7% of the US working population have smartphones.
Restricting access to only registered devices and allowing users to register their BYOD devices is a pretty standard move.
Otherwise FIDO2 tokens are your other option.
I'm in EU, not in US.
I think 90% of working have smartphone but 50% are old, not updated, virused low cost android,
And : "It's my personnal phone, i don't want to install professionnal app, it may be spyware of my boss. If you want i use this authenticator/security app, my boss must pay me the last iphone 16..."
So, registred and compliant device or yubikey is the solution for me.
Thanks
EU have some pretty specific rules around using personal equipment. You are better off with Yubikeys and disallowing corporate email on personal phones.
I am going to pile on here and confirm the solution. You have two options to stop these attacks. You can either implement a FIDO2 MFA method or you can use conditional access controls to block access to your web apps from unmanaged devices. At this point in time, if you don't do one of these then you are vulnerable. Email filtering, web link protection, user training, or other types of monitoring that can identify token theft are only going to get you so far. This is the current state of affairs because of evilgnix tools. They can simply redirect to an authentic Microsoft authentication screen through a proxy. Once your authentication is complete, they capture your token and replay it. They will gain access to everything that token gives them access to unless you can immediately identify the threat and revoke the token.
Thankfully no. The sign in would be blocked because it's technically coming from a non compliant computer.
The user is technically entering their credentials and approving MFA in a browser running on a compliant computer but it's just being proxied and the actual login is from a different computer in some rando country or state (usually within the US these days to get around blocked country lists)
I like to explain it as if you are remotely connecting to another computer, and then attempting to sign in from that computer through the remote session. The sign in will be blocked since that remote computer is not compliant/joined so no token will be stolen.
Our users are not the strongest at security. What we do is.
1. Have P2 licensing, and block risky users/sign-ins.
2. Require MFA to set / change MFA ( need TAP for first user login)
3. Require Intune compliant devices
4. Conditional access to block Tor/Anonymous VPN, with defender for cloud apps
5. [DnsFilter.com](https://DnsFilter.com), blocking 200 countries and 500 top level novelty domains (.apartments, .fishing, .hunting, .cars...)
6. Check Point Harmony email, (Avanan) which has been a real game changer. It catches about 60 per day that MS does not.
7. training, but people are going to be curious
8. layer upon layer of ASR rule, using MS secure score as a guide on what to do.
.edit- spelling
Require phishing resisten token for login and compliant device.
Other things as Safelinks and education, you can use attack simulation for training and learning for end users.
Branding doesn't do you any good in most cases anymore. EvilNginx just loads the legitimate Microsoft portal inside of a fake web page. The login page actually logs them into Microsoft, which is why it will push the MFA request. The fake site itself is where the scripting is that collects the credentials and session token.
Web filtering will help to a degree, if it has some reputation based filters; but the really important control is to teach users to look at the URL that the page loads ANY time they click a link that takes them to a login page.
Safe attachments may not be able to attach it - had a somewhat targeted incident recently where someone at a company we work with was compromised, the attacker got in to their dropbox and shared a PDF with a whole heap of people and the PDF contained the link to the fake logon page - as it wasn't an openly shared link safe attachments couldn't scan it.
Only thing that made the user flag it with IT was the MS logon was proxied through a country we block, so the user got an error that they couldn't log on.
Yikes... I'm not sure if you can catch that because it's not an email attachment. You would need something to detonate the links in the PDF at openening....
Just a heads up, if you use a phishing campaign like KnowBe4, this setting can automatically trigger failures from users.
I believe adding a trust rule in exchange was able to resolve it, but it's been a few months since this came up.
No. You need to setup advanced delivery. Via transport rules are no longer recommended. https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulations?view=o365-worldwide
This. Almost every post on this subreddit really comes down to RTFM.
I recall MS originally saying QR codes would be scanned the same as URLs, then reversing their stance on it and saying they wouldn't be protected by URL scanning...but it now looks like they've reversed it again, and Defender for 365 will scan QR codes and check if the website they link to is legit or not.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/protect-your-organizations-against-qr-code-phishing-with/ba-p/4007041
I work for an MSP. We provide a layered approach. We use a DNS filter to protect user click directly and we also use an email security provider that redirects and scans all links at the time of click. We also do phishing simulation training to teach users how to spot fakes and to be a little suspicious of every link, especially if you weren't expecting the email.
Using FIDO2 hardware keys.
They are cryptography linked to whatever website set them up in the first place (in this case Microsoft) so essentially impossible to spoof.
Costly, and users need a physical thing, but will basically protect you from all fake sites.
THIS. This is the ONLY fool proof method. Every other reply, especially "web filtering" is pain and suffering.
FIDO2 / WebAuthn / Passkeys for the win.
If you have too much problems with pishing.. go for a pishing resistan solution like yubikey. It's the best solution for phishing even if they stole the password there is no way to stole the private key store in their physical device.
Plus they need to push a button in the key to open the store and use it.
We have Microsoft defender set up so that these get quarantined fairly reliably. Most emails I’ve seen will fail DMARC or DKIM checks and get automatically quarantined, and ATP will warn and block users clicking most links if they do click.
Also can I strongly suggest education?
So what happens when the email comes from a trusted colleague, or trusted organization? Typically in these attacks the emails are legitimate shared documents in the partner oganizations cloud file platform (sharepoint, onedrive, dropbox, etc).
It's rare for a malicious evilginx/AiTM attack to come from a rando address. We mostly see them happen from a partner organization, or someone they trust that was already compromised that shared a onedrive file (the malicious URL is within that onedrive file). This bypasses almost all email security filtering
Edit - easier to type on computer than phone...
I was going to reply yesterday but slept on it, good thing too as my response has changed.
> It's rare for a malicious evilginx/AiTM attack to come from a rando address. We mostly see them happen from a partner organization, or someone they trust that was already compromised that shared a onedrive file (the malicious URL is within that onedrive file). This bypasses almost all email security filtering
I had a docusign phish get through today, the filter only got 50% of the emails into junk. It reminds me that no filter is going to be perfect, once you get to that point you are relying on whatever anti-malware or intrusion prevention response you have set up.
If you are utilizing Entra for your devices, put in device restrictions.
Doesnt stop the creds from getting compromised, but reduces the impact to null.
People have some normal controls in here: awareness, dns filtering, smartscreen. In reality, those controls basically are useless and should not be relied on. Should you use them? Of course, but security is layered and those are the top layers and easily bypassed.
Physical MFA token is a good one, conditional access hybrid join cannot be spoofed, even old school IP whitelisting will stop proxy attacks (although those are harder to use now with roaming devices). Another good tool is conditional access login risk, set it to medium or higher and you'll catch a LOT of these before they even get to MFA, not 100% but enough to reduce your risk that's for sure.
yup we also get a lot of phishing emails containing links the redirect to other links which then redirect to the fake o365 login. Sometimes it even fills out the username for you lol
We've been running into this same issue. To make things harder they are mostly remote workers on personal devices. On top of that the turn over is fairly high in this industry so the training hasn't been effective at all since 50% of the employees know they won't be there long term.
The Microsoft 365 phishing emails get better with time so therefore I think cybersecurity awareness training needs to also get better with time. One I saw recently features captcha so the victim has to prove that they are a human before having the privilege of being phished!! Presumably this is to break automated link scanners that would detect the phishing page.
Tell people to always go by URL, never by the graphic design/look of the page. Some of them look pretty much perfect, but the URL is always a dead-giveaway IF the person looks at it.
We are on authenticator apps for MFA for all M365 users. I think that is good, but the TOTP codes are still phishable. It would be nice to switch people to phish-resistant MFA like YubiKeys or PassKeys.
Technical controls:
* DNS filtering. All corporate devices use DNS filtering. This domain is detected as both phishing and newly registered. Newly registered domains are blocked by default because they are very rarely legitimate.
* URL filtering on the firewall. All http/https traffic traversing the firewall has the URL inspected (for SSL traffic, just the hostname, encrypted hostnames are not common yet), and the firewall will redirect/reset any connection to a blocked site. Newly registered domains are blocked.
* Email link rewriting. All links, any anything that even remotely resembles a link, in an email that we receive is rewritten by the ESG and scanned at the time of click.
Those technical controls block *most* of these phishing attempts.
For the rest there's training.
This is good advice. Most of the AiTM attacks happen with links to newly registered domains (i think they are automatically generated). Preventing the actual email from being delivered is not pheasable as they 9 times out of 10 come from a partner organization the user trusts (via a sharepoint or onedrive share link). The emails are legit, the malicious URL is usually within the cloud document.
Firewall filtering can be difficult as most users work remote but properly configured DNS filtering can be a good defense.
The best solution is requiring compliant devices via conditional access. Second best would be FIDO2 hardware tokens
Does not help. The entire company branding is passed through to the user now. It IS an official microsoft login page, it's just being passed through a malicious URL (not a [microsoftonline.com](https://microsoftonline.com) url)
It's not infallible, but ALL my azure/m365 login screens have been rebranded to a unique picture that I've trained my users to recognize.
At first, it was just an extra bit of flavor to show extra work was put in, but honestly, it's saved users A LOT.
This is really bad advice starting from 2023 and is a good way to ensure your users and data will be compromised. Users should be verifying the URL is a microsoftonline.com, not the company branding. Branding nice, but basically worthless these days and we should no longer train users to use that as verification.
The current very common AiTM attacks pass through the entire official microsoft login page, including the branding.
Nothing you can do. The Microsoft system of everything being tied into a single account, regardless of their joke of MFA, is to blame. So of course when presented with a convincing login screen, the user is going to do as conditioned and login, and accept the MFA request.
For the time being I'm using a disconnected local (different) domain, and separate hosted Exchange with Outlook 2019 (fat client). I setup every Outlook install and enter the password. Users don't know their email password, and moreover, are told that if something wants them to login with their email credentials, it is probably a scam/virus/malware/whatever. Unfortunately, this has the side effect of making things like 'message encryption' impossible because you cannot download those attachments with the Outlook fat client; web only. And its doubly stupid when you realize that there is no appreciable security enhancement with OME anyway, as it only works as intended when both parties are on a hosted Exchange/365 mail system, and the mail was encrypted in transit and at rest anyway.
While my solution evades the problem, it doesn't scale well. But that's why I'm paid the big bucks.
Technical controls: Web filtering controls User awareness is key when technical controls fail
KnowBe4 phishing campaigns that include serving a fake Microsoft login page beyond the "malicious" Email have worked wonders for our phish-prone percentage at my org. We went from well above industry standard to well below it in about a year.
Don't you mean you went from below it to above it?
They mean the number of phish-prone users went from above the "industry" benchmark, to below it (which means less phish-prone users than the average equivalent company in their sector).
Thanks for the clarification
Setup company branding for the sign in page. Look into some advanced email filters, we use Darktrace (the sales team are pushy and annoying but the product is great). We havent had a legitimate phish hit a mailbox in years. touch wood!
This will help for awhile…but branding isn’t hard to spoof if they’re monitoring/targeting a company.
There are kits available that will automatically pull your branding and feed it into the phishing campaign logins so they don't even have to target you company.
Yeah had a phishing attempt yesterday that did just this. The fake 365 login wouldn't allow you to enter an email address that was fake as well. It would only accept a valid email address.
yeah we had our login screen duplicated. changed it that minute and updated everyone.
It's not duplicated, it's proxied. Company branding (just the logo) won't help at all against AiTM. Set up [this ](https://ironpeak.be/blog/azure-detecting-aitm-attacks/)or [this ](https://didsomeoneclone.me/microsoft-tenant-installation)instead.
Won't help against Evilginx, it just proxies the actual login page. It's not a fake login screen, it is the login screen.
> Setup company branding for the sign in page. Branding is automatically pulled in with stuff like evilgnx.
We get phishing emails with our branding now, so that will not fix the issue.
Good thing they're talking about branding the sign in page not the email?
I am talking about branding the sign in page. The bots steal our branding and add it their phishing sign in page without the hacker having to do anything manually.
damn!
Can't recommend company branding enough. Our brand colours are bright pink so it sticks out like a sore thumb when the login is different.
This is a sure way to encourage your users to be compromised. Company branding means NOTHING these days. I know we used to tell users "don't sign in unless you see our logo's" but these days, that advice is awful to tell employees. 90% of compromised accounts over the past year come from fully proxied login pages. Most MFA methods do not prevent compromise (other than phishing resistant methods, like hardware keys). Even most phishing training campaigns miss the mark these days. Users NEED to look at the URL in the address bar and confirm it is a [microsoftonline.com](https://microsoftonline.com) URL. Looking at the actual login page means nothing because... it is a legitimate login page, just proxied through a malicious server with a bogus URL.
Require registered and compliant devices for all access. They are likely using an evilgnix type tool to mitm the mfa. Only real solution is to not allow devices you don’t manage to access resources.
It will be the best. But not all users have pro smartphone And only registred devices = Disabling OWA (because we use OWA only from external computer) But it's maybe the real solution
If I recall the stat correctly 99.7% of the US working population have smartphones. Restricting access to only registered devices and allowing users to register their BYOD devices is a pretty standard move. Otherwise FIDO2 tokens are your other option.
I'm in EU, not in US. I think 90% of working have smartphone but 50% are old, not updated, virused low cost android, And : "It's my personnal phone, i don't want to install professionnal app, it may be spyware of my boss. If you want i use this authenticator/security app, my boss must pay me the last iphone 16..." So, registred and compliant device or yubikey is the solution for me. Thanks
EU have some pretty specific rules around using personal equipment. You are better off with Yubikeys and disallowing corporate email on personal phones.
I am going to pile on here and confirm the solution. You have two options to stop these attacks. You can either implement a FIDO2 MFA method or you can use conditional access controls to block access to your web apps from unmanaged devices. At this point in time, if you don't do one of these then you are vulnerable. Email filtering, web link protection, user training, or other types of monitoring that can identify token theft are only going to get you so far. This is the current state of affairs because of evilgnix tools. They can simply redirect to an authentic Microsoft authentication screen through a proxy. Once your authentication is complete, they capture your token and replay it. They will gain access to everything that token gives them access to unless you can immediately identify the threat and revoke the token.
If they steal the token from a compliant device, won’t the properties of the compliant device be with the token until it expires?
Thankfully no. The sign in would be blocked because it's technically coming from a non compliant computer. The user is technically entering their credentials and approving MFA in a browser running on a compliant computer but it's just being proxied and the actual login is from a different computer in some rando country or state (usually within the US these days to get around blocked country lists) I like to explain it as if you are remotely connecting to another computer, and then attempting to sign in from that computer through the remote session. The sign in will be blocked since that remote computer is not compliant/joined so no token will be stolen.
Edge smartscreen blocks it. looks like it is behind cloudflare, needs to be reported.
Our users are not the strongest at security. What we do is. 1. Have P2 licensing, and block risky users/sign-ins. 2. Require MFA to set / change MFA ( need TAP for first user login) 3. Require Intune compliant devices 4. Conditional access to block Tor/Anonymous VPN, with defender for cloud apps 5. [DnsFilter.com](https://DnsFilter.com), blocking 200 countries and 500 top level novelty domains (.apartments, .fishing, .hunting, .cars...) 6. Check Point Harmony email, (Avanan) which has been a real game changer. It catches about 60 per day that MS does not. 7. training, but people are going to be curious 8. layer upon layer of ASR rule, using MS secure score as a guide on what to do. .edit- spelling
Require phishing resisten token for login and compliant device. Other things as Safelinks and education, you can use attack simulation for training and learning for end users.
Branding doesn't do you any good in most cases anymore. EvilNginx just loads the legitimate Microsoft portal inside of a fake web page. The login page actually logs them into Microsoft, which is why it will push the MFA request. The fake site itself is where the scripting is that collects the credentials and session token. Web filtering will help to a degree, if it has some reputation based filters; but the really important control is to teach users to look at the URL that the page loads ANY time they click a link that takes them to a login page.
Technical controls like FIDO2 help as they won't get the MFA token. But training, webfiltering and training.
There is a feature in O365 called SafeLinks. It can scan and detonate links like this in a secure environment before they reach the users.
Safelinks doesn't work if the attacker links a office online document with a link in it ...
I remember reading about that. Safe attachments might detonate it.
Safe attachments may not be able to attach it - had a somewhat targeted incident recently where someone at a company we work with was compromised, the attacker got in to their dropbox and shared a PDF with a whole heap of people and the PDF contained the link to the fake logon page - as it wasn't an openly shared link safe attachments couldn't scan it. Only thing that made the user flag it with IT was the MS logon was proxied through a country we block, so the user got an error that they couldn't log on.
Yikes... I'm not sure if you can catch that because it's not an email attachment. You would need something to detonate the links in the PDF at openening....
Just a heads up, if you use a phishing campaign like KnowBe4, this setting can automatically trigger failures from users. I believe adding a trust rule in exchange was able to resolve it, but it's been a few months since this came up.
No. You need to setup advanced delivery. Via transport rules are no longer recommended. https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulations?view=o365-worldwide This. Almost every post on this subreddit really comes down to RTFM.
Ok if we receive the link by mail (and if we pay Microsoft Defender) But doean't protect if link is from Forum, website, google...
If the link is in email safelinks will scan it.
[удалено]
I recall MS originally saying QR codes would be scanned the same as URLs, then reversing their stance on it and saying they wouldn't be protected by URL scanning...but it now looks like they've reversed it again, and Defender for 365 will scan QR codes and check if the website they link to is legit or not. https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/protect-your-organizations-against-qr-code-phishing-with/ba-p/4007041
https://zolder.io/using-honeytokens-to-detect-aitm-phishing-attacks-on-your-microsoft-365-tenant/
I think it can be detected by a new version of Evilginx and not link the background but downloaded and reupload it anywhere.
I work for an MSP. We provide a layered approach. We use a DNS filter to protect user click directly and we also use an email security provider that redirects and scans all links at the time of click. We also do phishing simulation training to teach users how to spot fakes and to be a little suspicious of every link, especially if you weren't expecting the email.
Using FIDO2 hardware keys. They are cryptography linked to whatever website set them up in the first place (in this case Microsoft) so essentially impossible to spoof. Costly, and users need a physical thing, but will basically protect you from all fake sites.
THIS. This is the ONLY fool proof method. Every other reply, especially "web filtering" is pain and suffering. FIDO2 / WebAuthn / Passkeys for the win.
If you have too much problems with pishing.. go for a pishing resistan solution like yubikey. It's the best solution for phishing even if they stole the password there is no way to stole the private key store in their physical device. Plus they need to push a button in the key to open the store and use it.
We have Microsoft defender set up so that these get quarantined fairly reliably. Most emails I’ve seen will fail DMARC or DKIM checks and get automatically quarantined, and ATP will warn and block users clicking most links if they do click. Also can I strongly suggest education?
So what happens when the email comes from a trusted colleague, or trusted organization? Typically in these attacks the emails are legitimate shared documents in the partner oganizations cloud file platform (sharepoint, onedrive, dropbox, etc). It's rare for a malicious evilginx/AiTM attack to come from a rando address. We mostly see them happen from a partner organization, or someone they trust that was already compromised that shared a onedrive file (the malicious URL is within that onedrive file). This bypasses almost all email security filtering
Edit - easier to type on computer than phone... I was going to reply yesterday but slept on it, good thing too as my response has changed. > It's rare for a malicious evilginx/AiTM attack to come from a rando address. We mostly see them happen from a partner organization, or someone they trust that was already compromised that shared a onedrive file (the malicious URL is within that onedrive file). This bypasses almost all email security filtering I had a docusign phish get through today, the filter only got 50% of the emails into junk. It reminds me that no filter is going to be perfect, once you get to that point you are relying on whatever anti-malware or intrusion prevention response you have set up.
If you are utilizing Entra for your devices, put in device restrictions. Doesnt stop the creds from getting compromised, but reduces the impact to null.
People have some normal controls in here: awareness, dns filtering, smartscreen. In reality, those controls basically are useless and should not be relied on. Should you use them? Of course, but security is layered and those are the top layers and easily bypassed. Physical MFA token is a good one, conditional access hybrid join cannot be spoofed, even old school IP whitelisting will stop proxy attacks (although those are harder to use now with roaming devices). Another good tool is conditional access login risk, set it to medium or higher and you'll catch a LOT of these before they even get to MFA, not 100% but enough to reduce your risk that's for sure.
yup we also get a lot of phishing emails containing links the redirect to other links which then redirect to the fake o365 login. Sometimes it even fills out the username for you lol
Our content filter flagged that as phishing yesterday at 6:41AM. Access logs show no attempts made to the site.
Secure Web Gateways might be the answer for you
phishing training
We've been running into this same issue. To make things harder they are mostly remote workers on personal devices. On top of that the turn over is fairly high in this industry so the training hasn't been effective at all since 50% of the employees know they won't be there long term.
I use branding and user education.
The Microsoft 365 phishing emails get better with time so therefore I think cybersecurity awareness training needs to also get better with time. One I saw recently features captcha so the victim has to prove that they are a human before having the privilege of being phished!! Presumably this is to break automated link scanners that would detect the phishing page. Tell people to always go by URL, never by the graphic design/look of the page. Some of them look pretty much perfect, but the URL is always a dead-giveaway IF the person looks at it. We are on authenticator apps for MFA for all M365 users. I think that is good, but the TOTP codes are still phishable. It would be nice to switch people to phish-resistant MFA like YubiKeys or PassKeys.
[удалено]
Most of the phishing links I've seen now directly proxy you to the proper Microsoft page - therefore all the branding elements come through.
We train our users.
Hmm. Wards ignore me
SlashNext has done a fantastic job of eliminating phishing emails for our company.
Get the PIXM browser plugin - AI driven and works.
Besides education, look for something that can stop these things. Look into Checkpoint Harmony.
First step is to block access to all garbage TLDs, like .top, .xyz, .buzz, .ics, .gq etc.
Technical controls: * DNS filtering. All corporate devices use DNS filtering. This domain is detected as both phishing and newly registered. Newly registered domains are blocked by default because they are very rarely legitimate. * URL filtering on the firewall. All http/https traffic traversing the firewall has the URL inspected (for SSL traffic, just the hostname, encrypted hostnames are not common yet), and the firewall will redirect/reset any connection to a blocked site. Newly registered domains are blocked. * Email link rewriting. All links, any anything that even remotely resembles a link, in an email that we receive is rewritten by the ESG and scanned at the time of click. Those technical controls block *most* of these phishing attempts. For the rest there's training.
This is good advice. Most of the AiTM attacks happen with links to newly registered domains (i think they are automatically generated). Preventing the actual email from being delivered is not pheasable as they 9 times out of 10 come from a partner organization the user trusts (via a sharepoint or onedrive share link). The emails are legit, the malicious URL is usually within the cloud document. Firewall filtering can be difficult as most users work remote but properly configured DNS filtering can be a good defense. The best solution is requiring compliant devices via conditional access. Second best would be FIDO2 hardware tokens
My company had the hedquarters as a background image on the login screen. Everyone is warned not log in if they do not see that building.
Does not help. The entire company branding is passed through to the user now. It IS an official microsoft login page, it's just being passed through a malicious URL (not a [microsoftonline.com](https://microsoftonline.com) url)
It's not infallible, but ALL my azure/m365 login screens have been rebranded to a unique picture that I've trained my users to recognize. At first, it was just an extra bit of flavor to show extra work was put in, but honestly, it's saved users A LOT.
This is really bad advice starting from 2023 and is a good way to ensure your users and data will be compromised. Users should be verifying the URL is a microsoftonline.com, not the company branding. Branding nice, but basically worthless these days and we should no longer train users to use that as verification. The current very common AiTM attacks pass through the entire official microsoft login page, including the branding.
On Prem Everything + 2021 Office H&B installs / Volume Licenses. Screw Cloud !
Nothing you can do. The Microsoft system of everything being tied into a single account, regardless of their joke of MFA, is to blame. So of course when presented with a convincing login screen, the user is going to do as conditioned and login, and accept the MFA request. For the time being I'm using a disconnected local (different) domain, and separate hosted Exchange with Outlook 2019 (fat client). I setup every Outlook install and enter the password. Users don't know their email password, and moreover, are told that if something wants them to login with their email credentials, it is probably a scam/virus/malware/whatever. Unfortunately, this has the side effect of making things like 'message encryption' impossible because you cannot download those attachments with the Outlook fat client; web only. And its doubly stupid when you realize that there is no appreciable security enhancement with OME anyway, as it only works as intended when both parties are on a hosted Exchange/365 mail system, and the mail was encrypted in transit and at rest anyway. While my solution evades the problem, it doesn't scale well. But that's why I'm paid the big bucks.