Back

Conditional Access Policy: Phishing Simulation



Conditional Access Policy: Overview & Purpose

This project involves setting up a phishing simulation with a Conditional Access Policy to safeguard user credentials from unauthorized access. In this simulation, a user would receive a phishing email containing a fake link to a login page. Upon entering their credentials, a bad actor would attempt to use these stolen credentials to gain access to the system. However, the Conditional Access Policy ensures that such unauthorized access attempts are blocked unless the request originates from a trusted home office network.



What Was Used

To build and host this project, I used a modern tech stack and various cloud services, including:

• Microsoft Office 365 Outlook: For sending phishing simulation emails.

• Azure Entra ID (formerly Azure Active Directory): To manage users and enforce the conditional access policies.

• VPN: Used to simulate login attempts from different locations to verify that only the home network IP range allows successful login.



Use Case

Phishing attacks are one of the most common ways attackers steal user credentials. In this use case, a phishing simulation is designed to test whether credentials obtained through a fake login page could be used by a malicious actor.


Access Blocked Image

The conditional access policy adds an extra security layer by restricting successful logins to specific network locations, such as the trusted home office network. Even if credentials are compromised, the attacker cannot log in unless they are connected to this predefined network.


This setup aligns with zero-trust principles, ensuring that user credentials alone are not sufficient to gain access—further verifying the origin of the access attempt before allowing login.



Implementation

The policy was implemented using a network-based approach, restricting access to the following conditions:


• IP Range Restriction: Only devices on the home office network can log in to the account, even with valid credentials.

• Blocked IPs: All login attempts from unrecognized networks, including those using the stolen credentials from the phishing simulation, were blocked.


The policy ensures that unauthorized actors, even with compromised login details, cannot gain entry unless they are on a trusted IP address.



Challenges

This project was relatively straightforward to implement. No significant technical issues arose during configuration or testing.



Outcome

The implemented Conditional Access Policy resulted in a substantial improvement in security posture, as it blocked any login attempts from locations outside the predefined home network. This successfully mitigates the risk of unauthorized access, even in cases where credentials are stolen through phishing.


Access Blocked Image

Lessons Learned

This project highlighted the importance of network-based access control as part of a comprehensive security strategy. It reinforced the effectiveness of Conditional Access Policies and demonstrated that:


• Credentials alone are not enough: Location-based policies add critical context to authentication attempts.

• Zero Trust Architecture: Policies like these help shift towards a more robust security model where trust is not implicit based on user credentials alone.

• Continuous Improvement: Future policies could incorporate Multi-Factor Authentication (MFA) or device compliance policies to further enhance security.