This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 73%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETY%3C/text%3E%3C/svg%3E)
Hello,
I found the sentence 'Microsoft Defender for Cloud Apps detects this AiTM phishing' on the bellow document.
https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
So I'm interested to Microsoft Defender for Cloud Apps.
Could you tell me how to detect the AiTM phishing in the following situation?
We have the web page on AWS Amplify.
When users login to the page, they are redirected to auth0.com for authentication.
The username and password are necessary for authentication.
If user enables MFA(mail, SMS, or Push notification), MFA is also necessary.
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Could you clarify how you are integrating your app with Azure?
If you have integrated Microsoft Defender for Cloud apps with your AWS environment, the anomaly detection should still apply. Impossible travel activity, atypical travel, and suspicious inbox manipulation rules are included in the detection policies.
https://learn.microsoft.com/en-us/defender-cloud-apps/protect-aws
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
Hello,
We don't use Azure, and don't connect the app to Azure.
Now the connection is as follows.
User - [internet] - web page(AWS Amplify) - authentication(auth0.com)
It seems to be possible to connect AWS without Azure. Is it right?
https://learn.microsoft.com/en-us/defender-cloud-apps/connect-aws
If we connect AWS to Microsoft Defender for Cloud Apps, is it possible to detect the AiTM phishing?
Thanks.
As you mentioned, you can connect AWS to Microsoft Defender for Cloud Apps without having Azure as an IdP. Based on my understanding your users will still be protected and the built-in policy templates used to detect AiTM phishing (impossible travel, atypical travel) would be available. To clarify though, you still need to have an Azure account, at least one Global Admin user, and enough licenses to cover protected users in order to use Microsoft Defender for Cloud Apps.
Reference:
Prerequisites for using Microsoft Defender for Cloud Apps.
If you follow the onboarding process, your AWS resources will be monitored in Microsoft Defender for Cloud Apps and you will be able to use the protections detection policies to detect AiTM phishing. I've also reached out to the product team to verify if there are any limitations around your scenario though and will provide their response. Based on my understanding it should work since the AiTM phishing detection is based on those other three built-in detection policies that are included when integrating AWS.
-
If the information helped you, please Accept the answer. This will help us and other community members as well.
Thank you for your kindly support.