The clarion call tells you if someone is logging into an AitM proxy that is proxying your company's M365 login page
This is extremely experimental.
This article from Zolder describes the concept quite well. This is not my original idea and the credit goes to them for it.
M365 allows you to inject custom CSS into the M365 login screen through the Company Branding settings. Ostensibly, this allows you to put a cool background image on your login page that fits your company branding.
We can take advantage of this to detect when a user is logging into an Adversary in the Middle (AitM) proxy like Evilginx that is mimicking your legitimate login page.
Clarion creates and hosts a small tracking pixel that we can embed into our custom company branding CSS file. When a normal login occurs, this CSS is retrieved dynamically and rendered on the M365 login page. When that happens during a routine login, the referer header for the CSS retrieval is login.microsoftonline.com
However, if a threat actor has created an AitM domain and login page and someone puts their username in to log in, the CSS will get pulled by the transparent proxy and the referer header will be the AitM proxy domain. If our tracking pixel is ever requested with a referer header that is NOT login.microsoftonline.com, it is highly likely that someone is logging into a transparent proxy (DISCLAIMER: MAJOR ASSUMPTIONS WITH THIS CONCEPT. DO YOUR OWN TESTING TO MAKE SURE THIS IS THE CASE!).
Zolder uses their own site, didsomeoneclone.me as their proof of concept. It works like a charm! But I wanted to create the whole system to learn more about it and demonstrate the entire process, start to finish. Thank you to Zolder for their work on this! Really cool concept and great work.
Additionally, I'm sure there are people out there that would love to use this detection capability but want to host it on their own infrastructure for privacy reasons. Clarion demonstrates a very simple, naive approach to how one would implement the tech required to alert on AitM attacks in progress.
For testing, you can use a self-signed certificate.
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
Important: Make sure you accept the warning about the invalid certificate in the browser that you want to test if using a self-signed cert. If you don't, the client browser will throw an error when trying to load the remote CSS and will not trigger the clarion call.
For production use, you would want a legitimate signed certificate.
Clone the repo to your publically accessible host and install the requirements:
$ pip3 install -r requirements.txt
Then run the app (you need root level permissions to bind to port 443):
$ [sudo] python3 app.py
* Serving Flask app 'app'
* Debug mode: on
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on all addresses (0.0.0.0)
* Running on https://127.0.0.1:443
* Running on https://[Public IP]:443
Press CTRL+C to quit
* Restarting with stat
[*] Your public IP address is: [Public IP]
[*] Embed this pixel in your CSS file with the following code:
[some CSS element] {
background-image: url('https://[Public IP]/[pixel name].png');
background-size: 0 0;
}
* Debugger is active!
* Debugger PIN: 422-205-484
Take this custom CSS pixel element and add it to your M365 Company Branding as a custom CSS file:
The M365 Company Branding CSS Schema has the list of CSS elements that the M365 login page can use. .ext-footer seems to be a good option to trigger the clarion call.
eg.
.ext-footer {
background-image: url(https://[Public IP]/[pixel name].png);
background-size: 0 0;
}
I'm willing to bet that this works with login pages for any service that allows you to specify custom CSS. I don't know which ones do, so if you have any ideas, open a PR or issue and let me know!
Thank you again to Zolder for the original article on this technique!