Description: This Canarytoken inserts CSS into your Azure tenant's Entra ID login page to detect when the page has been cloned. This can alert on targeted or Adversary-in-the-Middle (AitM) phishing attacks.
Step 1:
Log in to your Console.
Step 2:
Select the Canarytokens tile.
Step 3:
Select the "Azure Entra ID Login" token from the list.
Step 4:
Over time, you'll have thousands of Tokens deployed all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.
Note: we used "Thinkst Tenant ID: 1234-1234-1234-1234" as the reminder.
Step 5:
This token can be deployed automatically or manually. If you choose to let us do it for you we'll ask to be granted permission to manage your Entra setup. If you'd prefer, you can do the setup yourself (it's fairly easy).
Automatic
Choosing the automatic flow will trigger a permissions prompt. If you'd prefer not to allow us access to manage your Entra setup please jump down to the Manual flow. If you're happy, hit accept and we'll add the token to your Entra login page.
Once complete you'll be dropped back onto your console. That's it! Your token was successfully deployed!
Manual
For the Manual flow you'll need to first download the CSS file.
Follow the link to your Entra ID login customisation page.
Click edit and navigate to the Layout section.
At the bottom of the page under "Custom CSS" upload the CSS. Hit "Review + save" and then "Save". That's it! Your Entra Login page will now serve the Canarytoken on each page load.
Alert:
Here is a quick example of how an Adversary in the Middle (AitM) Phishing attack would look. An attacker would intercept and forward credentials (and MFA secrets) from a user to the Azure Entra Login page (through their phishing server).
With this Canarytoken, an alert is triggered as soon as the cloned Azure Entra Login page is loaded.
You're done! ;-)