Description: This Canarytoken inserts CSS into your Azure tenant's Entra ID login page to detect when the page has been cloned. This can alert on targeted or Adversary-in-the-Middle (AitM) phishing attacks.

Step 1:

Log in to your Console.

Step 2:

Select the Canarytokens tile.

Step 3:

Select the "Azure Entra ID Login" token from the list.

Step 4:

Over time, you'll have thousands of Tokens deployed all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.

Note: we used "Thinkst Tenant ID: 1234-1234-1234-1234" as the reminder.

Step 5:

This token can be deployed automatically or manually. If you choose to let us do it for you we'll ask to be granted permission to manage your Entra setup. If you'd prefer, you can do the setup yourself (it's fairly easy).

Automatic

Choosing the automatic flow will trigger a permissions prompt. If you'd prefer not to allow us access to manage your Entra setup please jump down to the Manual flow. If you're happy, hit accept and we'll add the token to your Entra login page.

Once complete you'll be dropped back onto your console. That's it! Your token was successfully deployed!

Manual

For the Manual flow you'll need to first download the CSS file.

Follow the link to your Entra ID login customisation page.

Click edit and navigate to the Layout section.

At the bottom of the page under "Custom CSS" upload the CSS. Hit "Review + save" and then "Save". That's it! Your Entra Login page will now serve the Canarytoken on each page load.

Alert:

An alert is triggered when the cloned Azure Entra Login page is loaded.

You're done! ;-)