LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Self Hosting Guide
      • Prerequisites
      • Installation
      • Run From Package Mode
      • Post-Install Configuration
      • Configuring Automatic Updates
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Service Account Setup
      • GDAP's Importance in CIPP
      • Creating the CIPP Service Account
      • Conditional Access best practices
      • Recommended Roles
    • Configuring CIPP
      • Adding users to CIPP
      • Executing the SAM Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • User Roles in CIPP
      • Adding a custom domain name
      • I want to manage my own tenant
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
        • Devices
        • Deleted items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign-in Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
          • View Audit Log
        • Enterprise Applications
        • Secure Score
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup Task
      • Standards
        • List Standards Templates
        • Add Standards Template
        • Compare Tenant to Standard
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Location
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
          • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
        • Work from Anywhere
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Sites
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport Rules
          • Deploy Transport Rule Template
        • Transport Templates
        • Connectors
          • Deploy Connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection filter
          • Deploy Connection Filter
        • Connection filter templates
      • Resource Management
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • SAM Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA Ticketing
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • Custom Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error codes
    • Troubleshooting instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I got a "Potential Phishing page detected" alert. What do I do with that?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
  • CIPP New Interface Release Candidate 2 (rc2)
Powered by GitBook
On this page
  • Overview
  • What does the standard do?
  • What information does the canary token get?
  • What can I do with this alert?
  • Common Sources of False Positives

Was this helpful?

Edit on GitHub
Export as PDF
  1. Troubleshooting
  2. Frequently Asked Questions

I got a "Potential Phishing page detected" alert. What do I do with that?

PreviousFrequently Asked QuestionsNextCIPP Security and Compliance

Last updated 4 months ago

Was this helpful?

Introduced in v5.0.0, CIPP has a Standard that can be enabled called "Enable Phishing Protection system via branding CSS". This standard is what generated that alert.

Overview

What does the standard do?

This is intended to be a high-level review. If you want to go deep in the technical weeds, the standard is based on a project called Clarion by HuskyHacks. Check out the for full technical details on the inspiration for this standard.

This standard modifies the tenant's branding. This will either add to existing branding or create a new custom branding if one does not exist. Once modified, the branding will include an image that is the size of a single pixel. This image acts as a type of canary token.

Canary? What? The canary token concept is based on the old practice of keeping a canary in coal mines. The canary was more sensitive to carbon monoxide and would show signs of carbon monoxide poising much faster than the miners. If the canary got sick, they knew it was time to get out.

When a user encounters an Adversary in the Middle (AitM) login page, a common practice is to load the tenant's custom branding in order to most effectively fool end users who have been taught to look for the branding as a sign of the page being valid. Because the standard has created the canary token as part of the branding, that single pixel image gets loaded.

When that single pixel image gets loaded, it detects the site's referrer. If that referrer is not a legitimate Microsoft login page, it triggers the alert and causes the tenant branding to reveal a different image to warn off the end user from continuing the login process:

In most cases, this should be enough to stop the AitM attack. as the text "DO NOT ENTER YOUR PASSWORD" will be placed directly over the password form field.

What information does the canary token get?

Since the image is loaded in the user's browser, you're limited to client-side information gathering.

  • Website's URL (Note: This may not always be scraped from the page.)

  • Public IP address the page was accessed from

  • The tenant that was attempting to be logged in to

What can I do with this alert?

Given the limited information that can be provided by the alert, you're unlikely to be able to pin this to an exact user in most cases. You may get lucky and correlate a public IP address to a user; however, that's not common. Here are a few actions you can take:

  • If the URL is provided, contact the site's hosting provider and alert them to the AitM site.

  • If the URL is provided, block the domain in all your environments, DNS filters, etc.

  • Review Entra ID logs from around the alert to see if you can locate any anomalous sign ins. This could indicate that the warning was not successful, and that the user provided their full credentials to the attacker.

  • Have the client's Account Manager reach out to the client's decision maker. Inform the client of the alert and any results of your investigation. Use this conversation as an opportunity to discuss your security offerings around Security Awareness Training and email protection. There could be an opportunity to refresh those offerings with them or introduce them if they have previously been resistant.

Common Sources of False Positives

Since the standard is based on detecting the site's referrer, there are a number of ways that you could see a false positive:


Browser Extensions: Any browser extension that modifies the page's CSS could modify the site's referrer. A common extension that modifies the page's CSS is .

📂
Dark Reader
GitHub repo
Warning Image Added When AitM Site Detected

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

feature requests