Hey there. It's your favorite blogger again.
As we already covered different topics regarding AiTM and its protection in M365 we gonna take a holistic look at it now.
In the first step, i'm gonna show you how an AiTM Attack will look without Company Branding settings.
After that i will enable Company Branding again, and show you how it will look then.
After that, we are going to do thesame but with Passkeys active - so you can directly see the difference.
AiTM Attack without Company Branding
As we can clearly see, the Attacker can easily take over the account.
In this demo, it's only a test account, but samething could easily happen to Admin Accounts.
AitM Attack with Company Branding
As we can clearly see as soon as the user is enterning his username, and wanna enter the password, he will get visually notified that he should not enter his password... but he can do if he want. At the moment, there is no machanism in place that will prevent the user from entering his password. But i have to say, if you see that agressive orange screen, and you still enter the password, you either have balls like a bull, or you are just stupid.
AiTM with Passkeys in Place
As you can see, we have a visually detection method to AiTM. But as already written, Users can still enter their Data.
But now we are going to do the same but with Passkeys in Place.
So - first check that we have a passkey on our user.
If there is none, so create one.
But how to we do that ?
In this post, we are not going to cover on how to enable passkeys, but we are going to look how we can create a passkey if its enabled.
You can go as following:
Fire up the Authenticator App on your mobile Device. Go to the desired account and you should find there the option "create a passkey". Do that. Now!
Okay, to be honest, that meme is hilarious... 😉🤣
If you now go check myaccount.microsoft.com you should be able to see there the passkey.
So if we now head back to our malicious site, and login with the passkey, what will happen then?
As we can see, we directly get the Passkey Popup, and even if i scan it with my phone, do the biometric thing on the phone it won't go. On the phone i get the error "no passkeys found for logn.vadrwave.ch". As with passkeys we only can login to authentic microsoft webpages. Not to cheap fakes ones.. 😸
This is how a hacker will look when he is trying to AiTM and you are using Passkeys.. 😄
Stay safe!
