Microsoft Entra ID SharePoint Access for User Principal via Auth Broker

calendar May 7, 2025 · Domain: Cloud Use Case: Identity and Access Audit Tactic: Collection Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Sign-in Logs Resources: Investigation Guide  ·
Share on: linkedin copy

This rule detects non-interactive authentication activity against SharePoint Online (Office 365 SharePoint Online) by a user principal via the Microsoft Authentication Broker application. The session leverages a refresh token or Primary Refresh Token (PRT) without interactive sign-in, often used in OAuth phishing or token replay scenarios.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/05/01"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/05/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects non-interactive authentication activity against SharePoint Online (`Office 365 SharePoint Online`) by
 11a user principal via the `Microsoft Authentication Broker` application. The session leverages a refresh token or Primary
 12Refresh Token (PRT) without interactive sign-in, often used in OAuth phishing or token replay scenarios.
 13"""
 14false_positives = [
 15    """
 16    Legitimate non-interactive access to SharePoint Online via the Microsoft Authentication Broker may occur in
 17    enterprise environments, especially with MDM solutions or automated scripts. However, this should be explicitly
 18    allowed and monitored.
 19    """,
 20    """
 21    Some enterprise MDM or brokered flows may use refresh tokens legitimately (especially with hybrid/Azure AD joined
 22    devices). Automated scripts for legitimate tasks (e.g., reporting, backups) might use `python-requests`, though this
 23    should be explicitly allowed.
 24    """,
 25    """
 26    If the user is a developer or automation engineer, validate if this behavior was for testing purposes.
 27    """,
 28]
 29from = "now-9m"
 30index = ["logs-azure.signinlogs-*"]
 31language = "kuery"
 32license = "Elastic License v2"
 33name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker"
 34note = """## Triage and analysis
 35
 36### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
 37
 38This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 39
 40This is a [New Terms rule](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) that detects the first occurrence of a user principal name accessing SharePoint Online via the Microsoft Authentication Broker application in the last 14 days.
 41
 42### Possible Investigation Steps:
 43
 44- `azure.signinlogs.properties.user_principal_name`: Identify the user involved. Investigate whether this user typically accesses SharePoint or if this is an anomaly.
 45- `azure.signinlogs.properties.app_display_name`: Verify the application used (e.g., Authentication Broker). Determine if the app is expected for SharePoint access in your environment.
 46- `azure.signinlogs.properties.resource_display_name`: Review the resource being accessed. SharePoint activity should be aligned with job roles or historical usage.
 47- `azure.signinlogs.properties.incoming_token_type`: Indicates the token type used. Look for `refreshToken` or `primaryRefreshToken`, which may point to token replay or silent access.
 48- `azure.signinlogs.properties.is_interactive`: If false, indicates the sign-in was non-interactive. Correlate with recent sign-ins to understand if a prior session may have been reused.
 49- `user_agent.original`: Analyze the user agent string for automation indicators (e.g., scripts, unusual clients). Compare with what’s typical for the user or device.
 50- `source.ip`: Check the originating IP address. Investigate if the IP is associated with data centers, VPNs, anonymizers, or is geographically unusual for the user.
 51- `source.geo.*`: Evaluate sign-in location details. Determine if the sign-in location aligns with expected travel or usage behavior.
 52- `azure.signinlogs.properties.applied_conditional_access_policies`: Review whether Conditional Access policies were triggered or bypassed. Investigate if required controls (like MFA) were applied.
 53- `azure.signinlogs.properties.authentication_processing_details`: Review any details about the authentication, such as token type or scopes. This may indicate delegated access or automation patterns.
 54
 55### False Positive Analysis
 56
 57- Certain MDM or mobile app scenarios may use refresh tokens legitimately via brokered apps.
 58- Automated processes using authorized, scripted clients could trigger this activity, especially in developer or operations environments.
 59- If Conditional Access policies are configured in “report-only” mode or exempted for trusted apps, activity may appear unusual but be authorized.
 60
 61### Response and Remediation
 62
 63- If activity appears unauthorized:
 64  - Investigate and revoke active sessions or refresh tokens.
 65  - Notify the user and validate expected activity.
 66  - Review and audit app consent permissions and remove unused or high-risk delegated access.
 67- Harden Conditional Access policies to limit non-interactive access to sensitive resources.
 68- Monitor for repeated use of the same user agent, IP, or token type across other users to identify broader campaigns.
 69- Consider alerting on unusual patterns in sign-in frequency, geography, and application usage for SharePoint and other key services.
 70
 71"""
 72references = [
 73    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 74    "https://github.com/dirkjanm/ROADtools",
 75    "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",
 76]
 77risk_score = 73
 78rule_id = "a3cc60d8-2701-11f0-accf-f661ea17fbcd"
 79setup = """#### Required Microsoft Entra ID Sign-In Logs
 80To use this rule, ensure that Microsoft Entra ID Sign-In Logs are being collected and streamed into the Elastic Stack via the Azure integration.
 81"""
 82severity = "high"
 83tags = [
 84    "Domain: Cloud",
 85    "Use Case: Identity and Access Audit",
 86    "Tactic: Collection",
 87    "Data Source: Azure",
 88    "Data Source: Microsoft Entra ID",
 89    "Data Source: Microsoft Entra ID Sign-in Logs",
 90    "Resources: Investigation Guide",
 91]
 92timestamp_override = "event.ingested"
 93type = "new_terms"
 94
 95query = '''
 96event.dataset: "azure.signinlogs"
 97    and azure.signinlogs.properties.app_id: "29d9ed98-a469-4536-ade2-f981bc1d605e"
 98    and azure.signinlogs.properties.resource_id: "00000003-0000-0ff1-ce00-000000000000"
 99    and azure.signinlogs.identity: *
100    and azure.signinlogs.properties.user_principal_name: *
101    and azure.signinlogs.properties.incoming_token_type: ("refreshToken" or "primaryRefreshToken")
102    and azure.signinlogs.properties.is_interactive: false
103'''
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1213"
110name = "Data from Information Repositories"
111reference = "https://attack.mitre.org/techniques/T1213/"
112[[rule.threat.technique.subtechnique]]
113id = "T1213.002"
114name = "Sharepoint"
115reference = "https://attack.mitre.org/techniques/T1213/002/"
116
117
118
119[rule.threat.tactic]
120id = "TA0009"
121name = "Collection"
122reference = "https://attack.mitre.org/tactics/TA0009/"
123
124[rule.new_terms]
125field = "new_terms_fields"
126value = ["azure.signinlogs.properties.user_principal_name"]
127[[rule.new_terms.history_window_start]]
128field = "history_window_start"
129value = "now-14d"

Triage and analysis

Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker

This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.

This is a New Terms rule that detects the first occurrence of a user principal name accessing SharePoint Online via the Microsoft Authentication Broker application in the last 14 days.

Possible Investigation Steps:

  • azure.signinlogs.properties.user_principal_name: Identify the user involved. Investigate whether this user typically accesses SharePoint or if this is an anomaly.
  • azure.signinlogs.properties.app_display_name: Verify the application used (e.g., Authentication Broker). Determine if the app is expected for SharePoint access in your environment.
  • azure.signinlogs.properties.resource_display_name: Review the resource being accessed. SharePoint activity should be aligned with job roles or historical usage.
  • azure.signinlogs.properties.incoming_token_type: Indicates the token type used. Look for refreshToken or primaryRefreshToken, which may point to token replay or silent access.
  • azure.signinlogs.properties.is_interactive: If false, indicates the sign-in was non-interactive. Correlate with recent sign-ins to understand if a prior session may have been reused.
  • user_agent.original: Analyze the user agent string for automation indicators (e.g., scripts, unusual clients). Compare with what’s typical for the user or device.
  • source.ip: Check the originating IP address. Investigate if the IP is associated with data centers, VPNs, anonymizers, or is geographically unusual for the user.
  • source.geo.*: Evaluate sign-in location details. Determine if the sign-in location aligns with expected travel or usage behavior.
  • azure.signinlogs.properties.applied_conditional_access_policies: Review whether Conditional Access policies were triggered or bypassed. Investigate if required controls (like MFA) were applied.
  • azure.signinlogs.properties.authentication_processing_details: Review any details about the authentication, such as token type or scopes. This may indicate delegated access or automation patterns.

False Positive Analysis

  • Certain MDM or mobile app scenarios may use refresh tokens legitimately via brokered apps.
  • Automated processes using authorized, scripted clients could trigger this activity, especially in developer or operations environments.
  • If Conditional Access policies are configured in “report-only” mode or exempted for trusted apps, activity may appear unusual but be authorized.

Response and Remediation

  • If activity appears unauthorized:
    • Investigate and revoke active sessions or refresh tokens.
    • Notify the user and validate expected activity.
    • Review and audit app consent permissions and remove unused or high-risk delegated access.
  • Harden Conditional Access policies to limit non-interactive access to sensitive resources.
  • Monitor for repeated use of the same user agent, IP, or token type across other users to identify broader campaigns.
  • Consider alerting on unusual patterns in sign-in frequency, geography, and application usage for SharePoint and other key services.

References

  • Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows

    Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...


    Read More

  • GitHub - dirkjanm/ROADtools: A collection of Azure AD/Entra tools for offensive and defensive security purposes

    A collection of Azure AD/Entra tools for offensive and defensive security purposes - dirkjanm/ROADtools


    Read More

  • Phishing for Primary Refresh Tokens and Windows Hello keys

    In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.


    Read More

Related rules

to-top