Microsoft Defender XDR Threat Intelligence has uncovered an active Adversary-in-the-Middle (AiTM) attack campaign involving brand-impersonating OAuth applications. The attackers deployed malicious OAuth apps mimicking Adobe and DocuSign to steal credentials via phishing emails.
Key Findings from the Report
- Malicious OAuth apps were published to compromised Azure tenants.
- Phishing emails directed victims to these apps, enabling credential harvesting.
- Attackers combined OAuth consent grants with AiTM phishing techniques.
🔗 Full Report: Microsoft Threat Intelligence Report
You Should Know: Mitigation Steps & Practical Defense Techniques
1. Enable Phishing-Resistant MFA & Conditional Access (CA)
Enable MFA via Azure AD (Entra ID)
Set-MsolDomain -Identity yourdomain.com -Authentication StrongAuthenticationRequired $true
Enforce Conditional Access for high-risk sign-ins
New-AzureADMSConditionalAccessPolicy -DisplayName "Require MFA for High-Risk Logins" -State "enabled" -Conditions @{...}
2. Implement Identity Protection & Session Controls
Enable Sign-In Frequency (SIF) for sensitive apps
Set-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"01:00:00"}}')
- Monitor OAuth Apps with Defender for Cloud Apps
List all OAuth apps in your tenant (PowerShell) Get-AzureADServicePrincipal -All $true | Where-Object { $_.Tags -contains "WindowsAzureActiveDirectoryIntegratedApp" }
4. Disable Risky App Consent Permissions
Restrict user consent for OAuth apps Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled $false
- Enable Automatic Attack Disruption in Defender XDR
Check Defender XDR attack disruption status Get-MdeAttackDisruptionStatus
Additional References for Detection & Mitigation
- Entra ID Attack & Defense Playbook – AiTM Chapter
- Consent Grant Attack Mitigation Guide
- BleepingComputer: Malicious Adobe & DocuSign OAuth Apps
- MDTI: AiTM Credential Phishing
What Undercode Say
AiTM attacks leveraging OAuth apps are becoming more sophisticated. To defend against them:
– Audit all OAuth apps (Get-AzureADServicePrincipal).
– Enforce phishing-resistant MFA (FIDO2, Windows Hello).
– Use Defender for Cloud Apps to detect malicious apps.
– Block legacy authentication (Disable-ExchangeLegacyAuth).
– Monitor sign-in logs (Get-AzureADAuditSignInLogs).
🔹 Linux Admins: Use `jq` to parse Azure logs:
cat azure_logs.json | jq '. | select(.riskLevel == "high")'
🔹 Windows Admins: Hunt for suspicious processes:
Get-Process | Where-Object { $_.Company -notmatch "Microsoft" }
🔹 Network Defense: Block malicious IPs via `iptables`:
iptables -A INPUT -s 192.168.1.100 -j DROP
Expected Output:
✅ Secure OAuth apps with strict consent policies.
✅ Deploy Defender XDR for automatic disruption.
✅ Train users to spot phishing attempts.
Prediction
Future AiTM attacks may exploit AI-generated phishing emails and multi-cloud OAuth abuse. Stay vigilant with continuous access reviews and zero-trust policies.
References:
Reported By: Sami Lamppu – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
