An Easy Conditional Access Policy to Block Lots of AitM Attacks

We see a lot of attacker-in-the-middle attacks here at Petra. Here's a policy you can use that will block a whole lot of them in your tenant in 5 minutes.

Last week, I published a deep dive on an attacker-in-the-middle (AitM) attack we caught. I noted these attacks often come from Global Internet Solutions LLC, a datacenter in Phoenix.

Later, I checked Microsoft’s risk events and realized that Microsoft misclassified the IP’s location as Atlanta instead of Phoenix. If you're blocking Phoenix logins to stop these attackers, note that Microsoft sees them as coming from Atlanta, so these attacks would bypass your conditional access.

In this case, blocking hardcoded IP ranges is more reliable. The two IP ranges from Phoenix we see often in AitM attacks are:

• 2a00:b703:fff2::/48 (AS207713 Global Internet Solutions LLC)

• 2a05:0541:0116::/48 (AS215540 Global Connectivity Solutions LLP)

The rest of this piece provides step-by-step instructions for configuring the proper conditional access policies.

Step 1: Create Named Locations for Global Internet Solutions LLC and Global Connectivity Solutions LLP

In the Azure portal:

1. Navigate to Azure Active Directory > Security > Conditional Access > Named locations.

2. Click New location.

   1. Name the location "AitM Datacenter - Global Internet Solutions LLC"

   2. Under IP ranges, add 2a00:b703:fff2::/48

   3. Save the named location.

3. Click New location.

   1. Name the location "AitM Datacenter - Global Connectivity Solutions LLP"

   2. Under IP ranges, add 2a05:0541:0116::/48

   3. Save the named location.

Step 2: Create Conditional Access Policy to Block Named Locations

1. Navigate to Azure Active Directory > Security > Conditional Access > Policies.

2. Click + New policy.

3. Name the policy (e.g., "Block AitM Datacenters").

4. Under Assignments:

   • Users or workload identities: Select All users

   • Cloud apps or actions: Select All cloud apps

   • Conditions:

     • Select Locations.

     • Include the newly created named locations "AitM Datacenter - Global Internet Solutions LLC" and "AitM Datacenter - Global Connectivity Solutions LLP"

5. Under Access controls:

   • Choose Block access.

6. Enable the policy.

If you want to learn more about these attacks, I’m always happy to talk shop. Shoot me a note at [first name] [at] petrasecurity.com.