Really great stuff Merrill. Thanks for putting such a good demo together.

Thank so much for this! I learned that requiring compliant devices actually prevents these man in the middle attacks. I didn't realize that previously and we have this enabled throughout our environment. Thank you!

@merillx

8 ай бұрын

That is awesome news Neil! Thank you for sharing. Helping raise more awareness about this is why I made this video. 🙌

Awesome demo! Thank you!

This is an excellent video! Very clear and on point! Thank you!

@merillx

8 ай бұрын

Cheers tx @seeknay747

Excellent demo, much appreciated 👍

@merillx

8 ай бұрын

Tx. Glad you enjoyed it Simon!

Bloody Legendddd 👌👌 Thank you brother, I'm pretty sure you saved many souls here !!

@merillx

8 ай бұрын

Thanks!!

Thanks Merill, a really useful video! I think we'll be using Windows Hello moving forward 🙂

@merillx

8 ай бұрын

👌👏

Fantastic video. Its the kind of thing I plan to present to higher ups at some point to highlight the importance of phishing resistant MFA. Thanks for the inspiration.

@merillx

8 ай бұрын

Go for it! Let me know if you need any help. I'm planning on making another video showing how to set up EvilGinx in

@dpmcalli

8 ай бұрын

@@merillx That would be a great follow up video. Ive had a play with EvilGinx but would be great to have a walkthrough video.

Thanks Merill - great video - really useful.

@merillx

8 ай бұрын

Cheers Nick!

Great stuff!

Perfect!!

WOW impressive, thank you for material, clear as crystal water.

@merillx

5 ай бұрын

Thank you! Cheers!

Thanks for the great info. It appears that the user's password is still obtained by the attacker since CA takes effect after the user authenticates. I guess this stresses the need to move to passkey authentication.

Hi Merill, Thanks for making this. Quick question. How it going to check whether the device is compliant or not or is it device compliant policy it is from Intune or what is it?

Thanks. you showed how to use Passkeys (Windows Hello & FIDO2) Can you show the other two options for signing in? 1. Certificate Base 2. Passkeys

@merillx

8 ай бұрын

Passkeys is not available yet on Entra, once it does I'll do a post that shows both of them and also share which one is more secure :)

Great video Merill, I wonder is there anyway to default users MFA prompt to Wh4B ? The Authentication Methods page in Azure doesn't seem to allow that. We have most users setup for WH4B but after entering their credentials in any phishing attack their default method for MFA is most likely Authenticator and this takes over before they are prompted to choose Wh4B

@merillx

5 ай бұрын

The new System Preferred authentication method picks the strongest auth the user is registered for automatically. This is an evolving space so keep an eye out for updates.

Amazing video. Thank you! So, simply requiring a compliance device will fight MitM attacks? Even if they have pulled the token?

@merillx

7 ай бұрын

Device compliance will block MitM. They won't even have the option to get a valid token.

@sethzwicker3631

7 ай бұрын

@@merillx what if the policy is implemented AFTER the initial token pull?

@merillx

7 ай бұрын

Then it will stop working when the access token expires (usually

Great demo Merill! Its very clear and useful If possible could you hint what is the minimum license of O365 required for all of this to work? How 'windows hello business' will work with mobile devices? (Iphone/Android)

@merillx

8 ай бұрын

Sure. For conditional access policies you need a minimum of Entra ID P1 (almost all Microsoft 365 licenses include this).

@merillx

8 ай бұрын

On mobile devices the Windows Hello for Business alternative is the new passkey option in Android and Apple devices (using Touch ID as an auth). It's not available yet and is scheduled to go into public preview early next year. For now, the way to protect mobile devices is through the Device Compliance conditional access policy.

so the first device compliance policy was set to reporting only? does this need to be turned on? or will it block if it’s in reporting only? looks like this requires InTune. Is there a way to block without InTune? I have business standard and exchange p1 users

@merillx

5 ай бұрын

For the conditional access policy you will need Business Premium unfortunately. Keep an eye out for some new announcements coming in mid/late March where you can use phishing resistant auth.

Thank you for the demo. I was able to set it up successfully and I am able to log in to the microsoft 365 fake url, but once logged in after about 1 minute I get logged out. Not sure why I am getting logged out. I've checked the microsoft entra sign-in logs, risky-sign-ins, risky users and can find no reason why I am being logged out. When I access the real microsoft site using a real url I am able to log in successfully and stay logged in. I am performing all of this from the same workstation. I've checked continuous access evaluation and it shows 'no', I've excluded my test user account from any enabled conditional access policies as well. Any idea as to why this is happening or what log I can check ? thank you

What if the phishing page is onenote/sharepoint/microsoft domain? I'm assuming it has to match the auth domain?

@merillx

8 ай бұрын

It has to be the exact one = login.microsoftonline.com. It won't work with any other domain, including Microsoft ones.

So this might not be related, but how can I use Entra and CA policies to require MFA for admins to login to servers? Cyber insurance requires internal MFA and curious how Entra can be used for this? Preventing internal hacks.

@Styl_e

8 ай бұрын

I comment only to get notification if merill answers to this. To me, I guess you need some third party solution.

@merillx

8 ай бұрын

Great question. The good news is we just announced this as part of the new Entra Private Access. This will allow you to apply Universal Conditional Access policies to protect on prem apps.

I can see on the password prompt page there appears to be the company logo or similar - it's not the generic Microsoft one. How does the fake phising site have that?

@merillx

7 ай бұрын

Since EvilGinx acts like a reverse proxy it basically mirrors the page shown by the Microsoft login page.

Does the "Require hybrid joined device" control also protect against this?

@merillx

8 ай бұрын

Yes

Thank you for all the hard work you do for the community. I was just wondering if there is a way to go completely passwordless and use passkeys? I am struggling to see how to use passwordless on native msft apps on Android and ios. Am I missing something here

@merillx

19 күн бұрын

Cheers. Yes you can use passkeys. Have you followed the guide to set it ?

Wait, if the user was using Windows Hello PIN code instead of biometrics, would that still be phishin resistant?

@merillx

8 ай бұрын

YES! There is no difference in phishing resistant strength between using PIN and biometrics. They are both used to unlock the private key stored on the device's TPM chip.

@daw5891

8 ай бұрын

​@@merillxthey are not stored on the TPM but protected by the TPM. Also, TPM is irrelevant in this scenario, it can be software based keys protected by DPAPI and it would still achieve the same result.

@NancySLyons

6 күн бұрын

What is TPM?

How MS authenticator App notification (MFA) was prompted during fake URL.

@merillx

7 ай бұрын

The Authenticator is not currently phishing resistant. The new passkey feature that was announced at Ignite will make Authenticator phishing resistant when it becomes available in the next few months.

Which type 2 hypervisor do you use to host your vms?

@merillx

8 ай бұрын

The VMs were hosted on Azure. For the FIDO2 demo I had to use a physical laptop.

so by adding the device compliance policy, you are saying its actually checking the reference-url and since that fake url doesnt match the known MS login domains, it prevents the AiTM scenario where they use session tokens like you demonstrated? This wont lock anyone out from a non domain joined laptop or a domain workstation will it? Or is this policy going off already known devices? and not the reference-url?

@jebeda

2 ай бұрын

That's the question I had. I don't want our users to be unable to use their personal devices. What are the downsides to adding the device compliance policy?

@merillx

2 ай бұрын

If you apply a compliance requirement it will block byod devices, unless they are registered with Entra ID

@merillx

2 ай бұрын

Device compliance will block BYOD devices. If you need to allow BYOD devices then you have to use phishing resistant MFA options like passkeys, fido2 security keys etc

This type of phishing also can happen with gmail account?

@merillx

7 ай бұрын

Yes it is possible with any type of account. What you need to use is phishing resistant authentication. I would recommend setting up passkeys which is phishing resistant. See support.google.com/accounts/answer/13548313?hl=en

This is good--but how do I protect TOTP tokens? Are you simply going to say use a security key?

@merillx

6 күн бұрын

Yes unfortunately TOTP is not phishing resistant. So using phishing resistant auth like Windows Hello for Business, passkeys, security keys and certificates in smart cards are the way to go.

@NancySLyons

5 күн бұрын

@@merillxI have TOTPs on some YubiKeys. If I protect the YubiKey with a PIN, is that good enough? Also, I am using an iPhone only--not a Windows computer. Thank you.

Thanks Merill! One concern here is with the last message using the FIDO key "this security key doesn't look familiar. please try a different one." will it be updated in the future? The wording is confusing and would cause a use to try another method to sign-in. Shouldn't the message be like "the this security key doesn't any saved credentials for the website 'login.fake.fdo.au'"?

@merillx

8 ай бұрын

Tx, yes that's good feedback.