Microsoft 365 & Security

Agentless CSS Phishing Protection

Advanced, free protection against Adversary-in-the-Middle (AITM) phishing attacks on Microsoft 365 sign-in pages — using custom CSS branding and server-side session validation.

10 min read Updated August 2025

Threat actors frequently target finance or accounting personnel. Once they gain access, they often send altered invoices to existing customers with fraudulent account details. Depending on the business, the resulting financial and reputational damage can be severe — in some cases, losses have reached up to $100,000 from a single compromised account.

Recent high-value breaches where attackers successfully accessed user accounts include incidents such as The Hague Gemeente fake email campaign and the Dutch police contact details breach. Each of these incidents could have been mitigated by applying the controls discussed here and in our broader Microsoft 365 security baseline.

Regular MFA does not protect against these modern attacks. Threat actors use specially designed proxy servers to record user sessions — including the MFA token — in Adversary-in-the-Middle (AITM) attacks, bypassing what is often considered a secure control.

How It Works

This solution combines custom CSS uploaded to your Entra ID company branding with a server-side validation service. During each login, the servers validate the login session. Users see a clear visual confirmation on a legitimate sign-in, and a red background with warning text when anomalies are detected on a phishing site.

Safe Login

Background logo confirms the session was validated against a legitimate Microsoft sign-in flow.

Suspicious session detected

Phishing Login

Red background and warning text alert the user that the login page is not trustworthy.

While this technique is effective at present, there is no guarantee it will remain so indefinitely. Platforms like EvilGinx, used by threat actors, actively develop countermeasures against protections. To address this, the solution uses an image indicator for safe logins — if no indicator is present on a page that looks like Microsoft, users should treat it as a phishing site.

The CSS phishing protection service is hosted on high-performance server tiers across two continents within Azure data centres, ensuring optimal performance and high availability.

Update — 1 August 2025

More recent AITM phishing kits now bypass standard CSS-only protection. The platform has been upgraded with additional verification that triggers a warning when suspicious patterns are detected.

We recommend not relying solely on this anti-phishing technique. Several other mitigations protect against phishing — including hardware-bound MFA, Conditional Access, and Defender for Office 365 — all covered in our Modern Workplace & Enterprise Security overview.

How to Implement

This solution requires uploading a CSS file to your company’s login branding page in Entra ID. Copy and save the CSS below. Optionally, replace the email address in the URL to receive alerts when phishing detections occur.

Opening the canary URL directly in a browser will not show an image — the protection works when the URL is loaded from CSS during sign-in.

CSS — Entra ID Company Branding

.ext-sign-in-box
{
  background-image: url("https://canary.modernworkplace.services/api/your-email@yourdomain.com");
}

.ext-sign-in-box
{
  background: white url('https://canary.modernworkplace.services/api/your-email@yourdomain.com') center no-repeat;
}

Replace your-email@yourdomain.com with your alert address (URL-encoded if needed).

Sign in to the Entra admin centre.
Go to Company branding → Default sign-in experience (or your custom branding profile).
Open the Layout tab and upload your CSS file. See Microsoft’s branding documentation for details.
Save changes. Allow up to 10 minutes for the safe-login indicator to appear on sign-in.

The CSS protection activates each time a user signs into a Microsoft portal. A red background is shown whenever a user visits a phishing website that proxies the login flow.

Custom Deployment

We can create a custom version of this CSS security solution tailored to your organisation — hosted on your infrastructure or ours. Custom deployments can include branded safe-login logos, incident response workflows, multi-tenant alerting, and security orchestration.

Whether you need to strengthen a single tenant or manage security across many as an MSP, the approach scales to match your requirements.

Get Started

Need Help Securing Microsoft 365?

From CSS phishing protection to a full Zero Trust baseline — we can deploy, customise, and monitor your environment.