Thank so much for this! I learned that requiring compliant devices actually prevents these man in the middle attacks. I didn't realize that previously and we have this enabled throughout our environment. Thank you!
Fantastic video. Its the kind of thing I plan to present to higher ups at some point to highlight the importance of phishing resistant MFA. Thanks for the inspiration.
Hi Merill, Thanks for making this. Quick question. How it going to check whether the device is compliant or not or is it device compliant policy it is from Intune or what is it?
Thanks for the great info. It appears that the user's password is still obtained by the attacker since CA takes effect after the user authenticates. I guess this stresses the need to move to passkey authentication.
Great demo Merill! Its very clear and useful If possible could you hint what is the minimum license of O365 required for all of this to work? How 'windows hello business' will work with mobile devices? (Iphone/Android)
On mobile devices the Windows Hello for Business alternative is the new passkey option in Android and Apple devices (using Touch ID as an auth). It's not available yet and is scheduled to go into public preview early next year. For now, the way to protect mobile devices is through the Device Compliance conditional access policy.
YES! There is no difference in phishing resistant strength between using PIN and biometrics. They are both used to unlock the private key stored on the device's TPM chip.
@@merillxthey are not stored on the TPM but protected by the TPM. Also, TPM is irrelevant in this scenario, it can be software based keys protected by DPAPI and it would still achieve the same result.
Great video Merill, I wonder is there anyway to default users MFA prompt to Wh4B ? The Authentication Methods page in Azure doesn't seem to allow that. We have most users setup for WH4B but after entering their credentials in any phishing attack their default method for MFA is most likely Authenticator and this takes over before they are prompted to choose Wh4B
The new System Preferred authentication method picks the strongest auth the user is registered for automatically. This is an evolving space so keep an eye out for updates.
Thank you for all the hard work you do for the community. I was just wondering if there is a way to go completely passwordless and use passkeys? I am struggling to see how to use passwordless on native msft apps on Android and ios. Am I missing something here
Thank you for the demo. I was able to set it up successfully and I am able to log in to the microsoft 365 fake url, but once logged in after about 1 minute I get logged out. Not sure why I am getting logged out. I've checked the microsoft entra sign-in logs, risky-sign-ins, risky users and can find no reason why I am being logged out. When I access the real microsoft site using a real url I am able to log in successfully and stay logged in. I am performing all of this from the same workstation. I've checked continuous access evaluation and it shows 'no', I've excluded my test user account from any enabled conditional access policies as well. Any idea as to why this is happening or what log I can check ? thank you
so by adding the device compliance policy, you are saying its actually checking the reference-url and since that fake url doesnt match the known MS login domains, it prevents the AiTM scenario where they use session tokens like you demonstrated? This wont lock anyone out from a non domain joined laptop or a domain workstation will it? Or is this policy going off already known devices? and not the reference-url?
That's the question I had. I don't want our users to be unable to use their personal devices. What are the downsides to adding the device compliance policy?
Device compliance will block BYOD devices. If you need to allow BYOD devices then you have to use phishing resistant MFA options like passkeys, fido2 security keys etc
I can see on the password prompt page there appears to be the company logo or similar - it's not the generic Microsoft one. How does the fake phising site have that?
so the first device compliance policy was set to reporting only? does this need to be turned on? or will it block if it’s in reporting only? looks like this requires InTune. Is there a way to block without InTune? I have business standard and exchange p1 users
For the conditional access policy you will need Business Premium unfortunately. Keep an eye out for some new announcements coming in mid/late March where you can use phishing resistant auth.
So this might not be related, but how can I use Entra and CA policies to require MFA for admins to login to servers? Cyber insurance requires internal MFA and curious how Entra can be used for this? Preventing internal hacks.
Great question. The good news is we just announced this as part of the new Entra Private Access. This will allow you to apply Universal Conditional Access policies to protect on prem apps.
Yes unfortunately TOTP is not phishing resistant. So using phishing resistant auth like Windows Hello for Business, passkeys, security keys and certificates in smart cards are the way to go.
@@merillxI have TOTPs on some YubiKeys. If I protect the YubiKey with a PIN, is that good enough? Also, I am using an iPhone only--not a Windows computer. Thank you.
The Authenticator is not currently phishing resistant. The new passkey feature that was announced at Ignite will make Authenticator phishing resistant when it becomes available in the next few months.
Yes it is possible with any type of account. What you need to use is phishing resistant authentication. I would recommend setting up passkeys which is phishing resistant. See support.google.com/accounts/answer/13548313?hl=en
Thanks Merill! One concern here is with the last message using the FIDO key "this security key doesn't look familiar. please try a different one." will it be updated in the future? The wording is confusing and would cause a use to try another method to sign-in. Shouldn't the message be like "the this security key doesn't any saved credentials for the website 'login.fake.fdo.au'"?
Really great stuff Merrill. Thanks for putting such a good demo together.
Thank so much for this! I learned that requiring compliant devices actually prevents these man in the middle attacks. I didn't realize that previously and we have this enabled throughout our environment. Thank you!
That is awesome news Neil! Thank you for sharing. Helping raise more awareness about this is why I made this video. 🙌
Fantastic video. Its the kind of thing I plan to present to higher ups at some point to highlight the importance of phishing resistant MFA. Thanks for the inspiration.
Go for it! Let me know if you need any help. I'm planning on making another video showing how to set up EvilGinx in
@@merillx That would be a great follow up video. Ive had a play with EvilGinx but would be great to have a walkthrough video.
Thanks Merill, a really useful video! I think we'll be using Windows Hello moving forward 🙂
👌👏
This is an excellent video! Very clear and on point! Thank you!
Cheers tx @seeknay747
Bloody Legendddd 👌👌 Thank you brother, I'm pretty sure you saved many souls here !!
Thanks!!
Thanks. you showed how to use Passkeys (Windows Hello & FIDO2)
Can you show the other two options for signing in?
1. Certificate Base
2. Passkeys
Passkeys is not available yet on Entra, once it does I'll do a post that shows both of them and also share which one is more secure :)
Hi Merill,
Thanks for making this.
Quick question.
How it going to check whether the device is compliant or not or is it device compliant policy it is from Intune or what is it?
Thanks for the great info. It appears that the user's password is still obtained by the attacker since CA takes effect after the user authenticates. I guess this stresses the need to move to passkey authentication.
Awesome demo! Thank you!
Excellent demo, much appreciated 👍
Tx. Glad you enjoyed it Simon!
Thanks Merill - great video - really useful.
Cheers Nick!
WOW impressive, thank you for material, clear as crystal water.
Thank you! Cheers!
Amazing video. Thank you! So, simply requiring a compliance device will fight MitM attacks? Even if they have pulled the token?
Device compliance will block MitM. They won't even have the option to get a valid token.
@@merillx what if the policy is implemented AFTER the initial token pull?
Then it will stop working when the access token expires (usually
Perfect!!
Great demo Merill!
Its very clear and useful
If possible could you hint what is the minimum license of O365 required for all of this to work?
How 'windows hello business' will work with mobile devices? (Iphone/Android)
Sure. For conditional access policies you need a minimum of Entra ID P1 (almost all Microsoft 365 licenses include this).
On mobile devices the Windows Hello for Business alternative is the new passkey option in Android and Apple devices (using Touch ID as an auth). It's not available yet and is scheduled to go into public preview early next year.
For now, the way to protect mobile devices is through the Device Compliance conditional access policy.
Wait, if the user was using Windows Hello PIN code instead of biometrics, would that still be phishin resistant?
YES! There is no difference in phishing resistant strength between using PIN and biometrics. They are both used to unlock the private key stored on the device's TPM chip.
@@merillxthey are not stored on the TPM but protected by the TPM.
Also, TPM is irrelevant in this scenario, it can be software based keys protected by DPAPI and it would still achieve the same result.
What is TPM?
Great video Merill, I wonder is there anyway to default users MFA prompt to Wh4B ? The Authentication Methods page in Azure doesn't seem to allow that. We have most users setup for WH4B but after entering their credentials in any phishing attack their default method for MFA is most likely Authenticator and this takes over before they are prompted to choose Wh4B
The new System Preferred authentication method picks the strongest auth the user is registered for automatically. This is an evolving space so keep an eye out for updates.
Thank you for all the hard work you do for the community. I was just wondering if there is a way to go completely passwordless and use passkeys? I am struggling to see how to use passwordless on native msft apps on Android and ios. Am I missing something here
Cheers. Yes you can use passkeys. Have you followed the guide to set it ?
Great stuff!
Thank you for the demo. I was able to set it up successfully and I am able to log in to the microsoft 365 fake url, but once logged in after about 1 minute I get logged out. Not sure why I am getting logged out. I've checked the microsoft entra sign-in logs, risky-sign-ins, risky users and can find no reason why I am being logged out. When I access the real microsoft site using a real url I am able to log in successfully and stay logged in. I am performing all of this from the same workstation. I've checked continuous access evaluation and it shows 'no', I've excluded my test user account from any enabled conditional access policies as well. Any idea as to why this is happening or what log I can check ? thank you
so by adding the device compliance policy, you are saying its actually checking the reference-url and since that fake url doesnt match the known MS login domains, it prevents the AiTM scenario where they use session tokens like you demonstrated? This wont lock anyone out from a non domain joined laptop or a domain workstation will it? Or is this policy going off already known devices? and not the reference-url?
That's the question I had. I don't want our users to be unable to use their personal devices. What are the downsides to adding the device compliance policy?
If you apply a compliance requirement it will block byod devices, unless they are registered with Entra ID
Device compliance will block BYOD devices. If you need to allow BYOD devices then you have to use phishing resistant MFA options like passkeys, fido2 security keys etc
I can see on the password prompt page there appears to be the company logo or similar - it's not the generic Microsoft one. How does the fake phising site have that?
Since EvilGinx acts like a reverse proxy it basically mirrors the page shown by the Microsoft login page.
so the first device compliance policy was set to reporting only? does this need to be turned on? or will it block if it’s in reporting only? looks like this requires InTune. Is there a way to block without InTune? I have business standard and exchange p1 users
For the conditional access policy you will need Business Premium unfortunately. Keep an eye out for some new announcements coming in mid/late March where you can use phishing resistant auth.
So this might not be related, but how can I use Entra and CA policies to require MFA for admins to login to servers? Cyber insurance requires internal MFA and curious how Entra can be used for this? Preventing internal hacks.
I comment only to get notification if merill answers to this. To me, I guess you need some third party solution.
Great question. The good news is we just announced this as part of the new Entra Private Access. This will allow you to apply Universal Conditional Access policies to protect on prem apps.
This is good--but how do I protect TOTP tokens? Are you simply going to say use a security key?
Yes unfortunately TOTP is not phishing resistant. So using phishing resistant auth like Windows Hello for Business, passkeys, security keys and certificates in smart cards are the way to go.
@@merillxI have TOTPs on some YubiKeys. If I protect the YubiKey with a PIN, is that good enough? Also, I am using an iPhone only--not a Windows computer. Thank you.
What if the phishing page is onenote/sharepoint/microsoft domain? I'm assuming it has to match the auth domain?
It has to be the exact one = login.microsoftonline.com. It won't work with any other domain, including Microsoft ones.
Does the "Require hybrid joined device" control also protect against this?
Yes
Which type 2 hypervisor do you use to host your vms?
The VMs were hosted on Azure. For the FIDO2 demo I had to use a physical laptop.
How MS authenticator App notification (MFA) was prompted during fake URL.
The Authenticator is not currently phishing resistant. The new passkey feature that was announced at Ignite will make Authenticator phishing resistant when it becomes available in the next few months.
This type of phishing also can happen with gmail account?
Yes it is possible with any type of account. What you need to use is phishing resistant authentication. I would recommend setting up passkeys which is phishing resistant. See support.google.com/accounts/answer/13548313?hl=en
Thanks Merill! One concern here is with the last message using the FIDO key "this security key doesn't look familiar. please try a different one." will it be updated in the future? The wording is confusing and would cause a use to try another method to sign-in. Shouldn't the message be like "the this security key doesn't any saved credentials for the website 'login.fake.fdo.au'"?
Tx, yes that's good feedback.