SafeLogin: Protecting Your Entra ID Tenant Against Advanced Phishing Attacks

Introduction

In today’s world, digital security is a top priority for both companies and individuals. Among the various cyber threats, phishing attacks remain one of the most effective methods for compromising accounts and stealing sensitive information. With the evolution of phishing techniques, such as Man-in-the-Middle (MitM) attacks using tools like Evilginx2, the need for innovative and robust solutions has never been greater.

To address these challenges, we developed SafeLogin, a solution designed to protect users from advanced phishing attacks. Seamlessly integrating with Microsoft Entra ID (formerly known as Azure AD), SafeLogin validates login URLs in real-time and alerts users about potential phishing attempts, all without compromising the user experience.

With SafeLogin 2.0, we’ve added new features to enhance the solution’s effectiveness and usability, further strengthening defenses against evolving phishing threats.

The Problem: Phishing and Man-in-the-Middle Attacks

Traditional phishing usually involves fake emails that direct users to fraudulent login pages where their credentials are stolen. However, with the widespread adoption of multi-factor authentication (MFA), cybercriminals have adapted, using more sophisticated techniques.

Tools like Evilginx2 allow attackers to conduct MitM attacks, where they intercept communication between the user and the legitimate service, capturing authentication tokens and valid sessions. This means that even with MFA enabled, an attacker can gain full access to the victim’s account. These attacks are difficult to detect because the victim believes they are interacting directly with the legitimate service.

The Solution: SafeLogin 2.0

SafeLogin was developed to combat these threats proactively. The solution works by validating the login URL that the user is attempting to access, checking if it matches a predefined list of legitimate URLs. If the URL is deemed suspicious, SafeLogin alerts the user through a visual banner on the login page, indicating that they may be about to fall for a phishing scam.

SafeLogin 2.0 introduces several key enhancements:

• Microsoft Sentinel Integration: All detected phishing attempts are now logged in real-time to Microsoft Sentinel, providing advanced monitoring and analytics capabilities.
• Enhanced User Alerts: The visual banner now includes improved messaging and dynamic indicators to warn users more effectively.
• Audit-Ready Logging: Detailed logs of phishing attempts include metadata such as timestamps, IP addresses, and session details for compliance and forensic purposes.

How SafeLogin Works

The architecture of SafeLogin 2.0 builds upon the original version while adding new functionality:

1. Azure Function: The main function of SafeLogin validates login URLs in real-time. It checks whether the URL the user is accessing is legitimate. If the URL is suspicious, the function returns an alert displayed on the login page. The function also logs all activities to a dedicated table (SafeLoginDetections_CL) in Microsoft Sentinel.
2. Entra ID Customization: SafeLogin leverages the customization capabilities of Microsoft Entra ID to display visual alerts on the login page. These alerts now include dynamic visuals and more user-friendly language.
3. Logging and Monitoring: SafeLogin logs every phishing attempt, enabling security teams to monitor and respond to threats efficiently.
4. Integration with Microsoft Sentinel: SafeLogin 2.0 introduces seamless integration with Microsoft Sentinel through two analytical rules designed to enhance proactive threat detection:
   • SafeLogin – Potentially Compromised Users – Phishing Link Accessed: This rule identifies users who have interacted with phishing links detected by SafeLogin. Although these users haven’t proceeded with login attempts, their engagement with the malicious link indicates a potential security risk. Security teams can use this rule to proactively monitor and educate these users about phishing threats.
   • SafeLogin – Compromised User Detected – Malicious IP Login Attempt: This rule highlights compromised user accounts that have successfully logged in using a malicious IP address. By cross-referencing phishing detections with login attempts, this rule identifies users who may have disregarded phishing warnings. It enables quick detection and response to account takeover attempts.

Benefits of SafeLogin 2.0

• Proactive Protection: SafeLogin adds an extra layer of security by validating login URLs in real-time and alerting users to potential threats before they enter their credentials.
• Enhanced Monitoring: With Microsoft Sentinel integration, organizations can monitor threats in real-time, identify patterns, and respond to new phishing techniques.
• Scalability and Flexibility: SafeLogin scales to meet the needs of small businesses and large enterprises alike, and can be easily adapted to handle new threats as they arise.
• Compliance and Forensics: Detailed logs ensure organizations are prepared for audits and can perform in-depth analysis of phishing attempts.

How to Implement SafeLogin 2.0

Implementing SafeLogin 2.0 is straightforward. The Azure Function can be created and configured using Visual Studio Code, allowing easy manipulation of the necessary files. Once set up, the solution is integrated into the Entra ID login page through simple CSS customizations. The integration with Microsoft Sentinel can be configured to enable real-time monitoring and analytics.

Steps to deploy SafeLogin 2.0:

1. Clone the SafeLogin repository from GitHub.
2. Configure the Azure Function with your organization’s list of legitimate URLs.
3. Customize the Entra ID login page to include the SafeLogin banner.
4. Set up the Microsoft Sentinel workspace and get the Log Analytics Workspace ID and Primary Key.
5. Test the solution to ensure proper validation and alerting functionality.
6. Import the Analytic Rules to your Sentinel instance.

Once configured, SafeLogin 2.0 immediately begins validating login URLs, protecting your users against advanced phishing, and providing actionable insights to your security team.

Final Considerations

In a world where cyber threats are constantly evolving, it is essential to adopt proactive measures to protect accounts and sensitive data. SafeLogin 2.0 not only strengthens defenses against phishing but also educates users, helping them recognize and avoid attack attempts.

If you are looking for a way to protect your Microsoft Entra ID against the latest phishing threats, consider implementing SafeLogin 2.0 and add an extra layer of security to your environment.

Check out the SafeLogin repository on GitHub for more details, implementation guides, and the full code: SafeLogin GitHub Repository.