Skip to content

chaimblack/AiTMDetector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.vscode
.vscode
 
 
static
static
 
 
.funcignore
.funcignore
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
function_app.py
function_app.py
 
 
host.json
host.json
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

AITM Detector – Azure Function

This Azure Function implements a lightweight Adversary-in-the-Middle (AiTM) detection mechanism by validating the Referer header of incoming HTTP requests. If the referer does not originate from a trusted Microsoft domain, the function returns a warning image—providing a simple but effective early warning against suspicious or potentially phishing-related activity.

⚠️ Disclaimer
This method only detects direct-proxy AiTM phishing attacks. It does not defend against indirect-proxy phishing kits (commonly used in phishing-as-a-service platforms), which often bypass or suppress client-side modifications such as CustomCSS.
This solution should be viewed as a supplementary signal within a broader, layered phishing detection and prevention strategy. Potential evasion techniques include the manipulation of referers, and while this is a straightforward detection method, it can be bypassed in more advanced attacks.

Read more on potential evasion techniques:
Clipping the Canary’s Wings – Bypassing AiTM Phishing Detections

Designed for deployment on Azure Function Apps (Flex Consumption Plan).

Video Explanation

For a deeper understanding of how the AiTM detector works and its effectiveness, check out the full explanation on my YouTube channel:

YouTube video

Acknowledgements

This approach was originally proposed by Attic Security by Zolder, who offer advanced hosted versions with additional protections and support.

Special thanks to:

Function Overview

  • Route: /api/aitmdetector
  • Trigger Type: HTTP (Anonymous access)
  • Behavior:
    • ✅ Returns 200 OK (empty response) for requests with valid Microsoft referers
    • ⚠️ Returns 200 OK with a warning image if the referer is missing or does not match trusted domains

Trusted Referer Domains

The function determines trust based on whether the incoming Referer header contains any of the following Microsoft-owned domains:

valid_referers = [
        'https://login.microsoftonline.com/',
        'https://login.microsoft.com/',
        'https://login.microsoft.net/',
        'https://autologon.microsoftazuread-sso.com/',
        'https://tasks.office.com/',
        'https://outlook.office.com/',
        'https://login.windows.net/'
    ]

Custom CSS File

To apply a visual warning on the sign-in page, create a file named extsignin.css with the following content:

.ext-sign-in-box {
    background-image: url(https://<your-function-url>);
}

References:

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages