From 0 to millions: Protecting against AitM phishing at scale
2024-10-24 , Europe - Main Room

Phishing has evolved both in the TTPs of attackers, and their targets. From simple clones of a website trying to get a username/password to reverse-proxying systems that steal sessions even with MFA, the target landscape has changed. Many of the defenses against phishing are started to show their age, between block-lists for domains that appear to be illegitimate, SMS/push MFA, and broken functionality cues that may alert someone to the site not being correct. Modern phishing tools, like EvilGinx, Modlishka, and more handle all of these by hiding the phishing content behind a unique "lure" to avoid domain blocking, supporting SMS/push MFA, and seamlessly allowing for login and hand-over once the session has been stolen.

This talk is focused on a Canarytoken type that lets you protect a shared-responsibility platforms that are difficult to gain insight into. These include Azure Entra ID, LogTo, and custom sites. The Cloned Site Canarytoken lets you quickly get alerted if someone is mirroring or reverse-proxying a sensitive login page that has any of your users trying to login--you can get alerted about the phishing site's URL before the user has even entered their password!

After a view of the landscape of modern phishing techniques, defenses, we'll dive into our novel defenses, and look at the data of token alerts from millions of logins every day to build a view of real-world phishing attacks and their TTPs. We'll finish off with how to respond to alerts, and some attacks against our Canarytoken. Finally we'll discuss our mental model for sharing this information via networks like MISP.


After a quick technical overview of the capability, and how it was designed to scale, we'll dive into the data from millions of weekly logins to sites across the web. The token has been deployed to some of the largest Azure tenants out there, large financial sites, and healthcare providers--we'll get to explore phishing data at scale.

We'll dive into:
- The scale of AitM phishing
- TTPs of AitM attackers:
- Time from infrastructure start-up to first alert
- Domain seasoning
- Cross-tenant drag-net attacks

Finally, we'll talk about response to these types of alerts, what attackers can do to disrupt our alerts, and how we can flow some of this data into networks like MISP.

See also: Slides (3.2 MB)

Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Starting his career at Assured Information Security, he led the Computer Architectures group performing bespoke research into low-level systems security and programming languages. Jacob has been a speaker and keynote at conferences around the world, from BlackHat USA, to SysCan, to TROOPERS and many more.