SafeLogin: Protecting Your Entra ID Tenant Against Advanced Phishing Attacks

Introduction

In today’s world, digital security is a top priority for both companies and individuals. Among the various cyber threats, phishing attacks remain one of the most effective methods for compromising accounts and stealing sensitive information. With the evolution of phishing techniques, such as Man-in-the-Middle (MitM) attacks using tools like Evilginx2, the need for innovative and robust solutions has never been greater.

To address these challenges, we developed SafeLogin, a solution designed to protect users from advanced phishing attacks. Seamlessly integrating with Microsoft Entra ID (formerly known as Azure AD), SafeLogin validates login URLs in real-time and alerts users about potential phishing attempts, all without compromising the user experience.

The Problem: Phishing and Man-in-the-Middle Attacks

Traditional phishing usually involves fake emails that direct users to fraudulent login pages where their credentials are stolen. However, with the widespread adoption of multi-factor authentication (MFA), cybercriminals have adapted, using more sophisticated techniques.

Tools like Evilginx2 allow attackers to conduct MitM attacks, where they intercept communication between the user and the legitimate service, capturing authentication tokens and valid sessions. This means that even with MFA enabled, an attacker can gain full access to the victim’s account. These attacks are difficult to detect because the victim believes they are interacting directly with the legitimate service.

The Solution: SafeLogin

SafeLogin was developed to combat these threats proactively. The solution works by validating the login URL that the user is attempting to access, checking if it matches a predefined list of legitimate URLs. If the URL is deemed suspicious, SafeLogin alerts the user through a visual banner on the login page, indicating that they may be about to fall for a phishing scam.

How SafeLogin Works

The architecture of SafeLogin is simple yet effective:

1. Azure Function: The main function of SafeLogin is to validate login URLs in real-time. It checks whether the URL the user is accessing is legitimate. If the URL is legitimate, the function allows the login to proceed as normal. If the URL is suspicious, the function returns an alert that is displayed on the login page.
2. Entra ID Customization: SafeLogin leverages the customization capabilities of Microsoft Entra ID to display visual alerts on the login page. These alerts inform the user that the page they are attempting to access may not be safe.
3. Logging and Monitoring: Each detected phishing attempt is logged, allowing security teams to monitor attack attempts in real-time and respond quickly to new threats.

Benefits of SafeLogin

• Proactive Protection: SafeLogin adds an extra layer of security by validating login URLs in real-time and alerting users to potential threats before they enter their credentials.
• Easy Integration: The solution integrates seamlessly with Microsoft Entra ID and existing Azure infrastructure, making implementation quick and hassle-free.
• Continuous Monitoring: With phishing attempts logged, security teams can monitor threats and adjust defenses as needed.
• Scalability and Flexibility: SafeLogin scales to meet the needs of small businesses and large enterprises alike, and can be easily adapted to handle new threats as they arise.

How to Implement SafeLogin

Implementing SafeLogin is straightforward. The Azure Function can be created and configured using Visual Studio Code, allowing easy manipulation of the necessary files. Once set up, the solution is integrated into the Entra ID login page through simple CSS customizations.

Once configured, SafeLogin immediately begins validating login URLs and protecting your users against advanced phishing.

Final Considerations

In a world where cyber threats are constantly evolving, it is essential to adopt proactive measures to protect accounts and sensitive data. SafeLogin is a solution that not only strengthens defenses against phishing but also educates users, helping them recognize and avoid attack attempts.

If you are looking for a way to protect your Microsoft Entra ID against the latest phishing threats, consider implementing SafeLogin and add an extra layer of security to your environment.

Check out the SafeLogin repository on GitHub for more details, implementation guides, and the full code: SafeLogin GitHub Repository.