Azure Entra ID Password Spraying (Non-Interactive SFA)

Mar 20, 2025 · Domain: Cloud Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies potential brute-force (password spraying) attempts against Azure Entra ID user accounts by detecting a high number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services. Non-interactive SFA login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from acquired credentials via phishing, infostealers, or other means.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/03/07"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential brute-force (password spraying) attempts against Azure Entra ID user accounts by detecting a high
 11number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers
 12may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services. Non-interactive SFA
 13login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them
 14a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from
 15acquired credentials via phishing, infostealers, or other means.
 16"""
 17false_positives = [
 18    """
 19    Automated processes that attempt to authenticate using expired credentials or have misconfigured authentication
 20    settings may lead to false positives.
 21    """,
 22]
 23from = "now-30m"
 24interval = "10m"
 25language = "esql"
 26license = "Elastic License v2"
 27name = "Azure Entra ID Password Spraying (Non-Interactive SFA)"
 28note = """## Triage and analysis
 29
 30### Investigating Azure Entra ID Password Spraying (Non-Interactive SFA)
 31
 32This rule identifies repeated failed authentication attempts using non-interactive authentication, which is often leveraged for automated attacks or legacy authentication methods. Successful compromise of an account could lead to unauthorized access, privilege escalation, or lateral movement within the environment.
 33
 34**This is an ES|QL rule with aggregations that truncate results in the alert document. It is recommended to pivot investigation into the raw documents for further triage and analysis.**
 35
 36### Possible investigation steps
 37
 38- Identify the source IP address from which the failed login attempts originated by reviewing `source.ip`. Determine if the IP is associated with known malicious activity using threat intelligence sources or if it belongs to a corporate VPN, proxy, or automation process.
 39- Analyze affected user accounts by reviewing `azure.signinlogs.properties.user_principal_name` to determine if they belong to privileged roles or high-value users. Look for patterns indicating multiple failed attempts across different users, which could suggest a password spraying attempt.
 40- Examine the authentication method used in `azure.signinlogs.properties.authentication_details` to identify which authentication protocols were attempted and why they failed. Legacy authentication methods may be more susceptible to brute-force attacks.
 41- Review the authentication error codes found in `azure.signinlogs.properties.status.error_code` to understand why the login attempts failed. Common errors include `50126` for invalid credentials, `50053` for account lockouts, `50055` for expired passwords, and `50056` for users without a password.
 42- Correlate failed logins with other sign-in activity by looking at `event.outcome`. Identify if there were any successful logins from the same user shortly after multiple failures or if there are different geolocations or device fingerprints associated with the same account.
 43- Review `azure.signinlogs.properties.app_id` to identify which applications were initiating the authentication attempts. Determine if these applications are Microsoft-owned, third-party, or custom applications and if they are authorized to access the resources.
 44- Check for any conditional access policies that may have been triggered by the failed login attempts by reviewing `azure.signinlogs.properties.authentication_requirement`. This can help identify if the failed attempts were due to policy enforcement or misconfiguration.
 45
 46## False positive analysis
 47
 48### Common benign scenarios
 49- Automated scripts or applications using non-interactive authentication may trigger this detection, particularly if they rely on legacy authentication protocols recorded in `azure.signinlogs.properties.authentication_protocol`.
 50- Corporate proxies or VPNs may cause multiple users to authenticate from the same IP, appearing as repeated failed attempts under `source.ip`.
 51- User account lockouts from forgotten passwords or misconfigured applications may show multiple authentication failures in `azure.signinlogs.properties.status.error_code`.
 52
 53### How to reduce false positives
 54- Exclude known trusted IPs, such as corporate infrastructure, from alerts by filtering `source.ip`.
 55- Exlcude known custom applications from `azure.signinlogs.properties.app_id` that are authorized to use non-interactive authentication.
 56- Ignore principals with a history of failed logins due to legitimate reasons, such as expired passwords or account lockouts, by filtering `azure.signinlogs.properties.user_principal_name`.
 57- Correlate sign-in failures with password reset events or normal user behavior before triggering an alert.
 58
 59## Response and remediation
 60
 61### Immediate actions
 62- Block the source IP address in `source.ip` if determined to be malicious.
 63- Reset passwords for all affected user accounts listed in `azure.signinlogs.properties.user_principal_name` and enforce stronger password policies.
 64- Ensure basic authentication is disabled for all applications using legacy authentication protocols listed in `azure.signinlogs.properties.authentication_protocol`.
 65- Enable multi-factor authentication (MFA) for impacted accounts to mitigate credential-based attacks.
 66- Review conditional access policies to ensure they are correctly configured to block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`.
 67- Review Conditional Access policies to enforce risk-based authentication and block unauthorized access attempts recorded in `azure.signinlogs.properties.authentication_requirement`.
 68
 69### Long-term mitigation
 70- Implement a zero-trust security model by enforcing least privilege access and continuous authentication.
 71- Regularly review and update conditional access policies to ensure they are effective against evolving threats.
 72- Restrict the use of legacy authentication protocols by disabling authentication methods listed in `azure.signinlogs.properties.client_app_used`.
 73- Regularly audit authentication logs in `azure.signinlogs` to detect abnormal login behavior and ensure early detection of potential attacks.
 74- Regularly rotate client credentials and secrets for applications using non-interactive authentication to reduce the risk of credential theft.
 75"""
 76references = ["https://securityscorecard.com/wp-content/uploads/2025/02/MassiveBotnet-Report_022125_03.pdf"]
 77risk_score = 47
 78rule_id = "cca64114-fb8b-11ef-86e2-f661ea17fbce"
 79severity = "medium"
 80tags = [
 81    "Domain: Cloud",
 82    "Data Source: Azure",
 83    "Data Source: Entra ID",
 84    "Data Source: Entra ID Sign-in",
 85    "Use Case: Identity and Access Audit",
 86    "Use Case: Threat Detection",
 87    "Tactic: Credential Access",
 88    "Resources: Investigation Guide",
 89]
 90timestamp_override = "event.ingested"
 91type = "esql"
 92
 93query = '''
 94from logs-azure.signinlogs*
 95| keep
 96    @timestamp,
 97    event.dataset,
 98    event.category,
 99    azure.signinlogs.properties.is_interactive,
100    azure.signinlogs.properties.authentication_requirement,
101    azure.signinlogs.properties.resource_display_name,
102    azure.signinlogs.properties.status.error_code,
103    azure.signinlogs.properties.resource_service_principal_id,
104    azure.signinlogs.category,
105    event.outcome,
106    azure.signinlogs.properties.user_principal_name,
107    source.ip
108// truncate the timestamp to a 10-minute window
109| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)
110| WHERE
111  event.dataset == "azure.signinlogs"
112  and event.category == "authentication"
113  and azure.signinlogs.properties.is_interactive == false
114  and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
115  and event.outcome != "success"
116  and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
117    // for tuning review azure.signinlogs.properties.status.error_code
118    // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
119
120// count the number of unique user login attempts
121| stats
122    unique_user_login_count = count_distinct(azure.signinlogs.properties.resource_service_principal_id) by
123        target_time_window,
124        azure.signinlogs.properties.user_principal_name,
125        azure.signinlogs.properties.status.error_code
126
127// filter for >= 20 failed SFA auth attempts with the same error codes
128| where unique_user_login_count >= 20
129'''
130
131
132[[rule.threat]]
133framework = "MITRE ATT&CK"
134[[rule.threat.technique]]
135id = "T1110"
136name = "Brute Force"
137reference = "https://attack.mitre.org/techniques/T1110/"
138[[rule.threat.technique.subtechnique]]
139id = "T1110.003"
140name = "Password Spraying"
141reference = "https://attack.mitre.org/techniques/T1110/003/"
142
143
144
145[rule.threat.tactic]
146id = "TA0006"
147name = "Credential Access"
148reference = "https://attack.mitre.org/tactics/TA0006/"

Triage and analysis

Investigating Azure Entra ID Password Spraying (Non-Interactive SFA)

This rule identifies repeated failed authentication attempts using non-interactive authentication, which is often leveraged for automated attacks or legacy authentication methods. Successful compromise of an account could lead to unauthorized access, privilege escalation, or lateral movement within the environment.

This is an ES|QL rule with aggregations that truncate results in the alert document. It is recommended to pivot investigation into the raw documents for further triage and analysis.

Possible investigation steps

Identify the source IP address from which the failed login attempts originated by reviewing source.ip. Determine if the IP is associated with known malicious activity using threat intelligence sources or if it belongs to a corporate VPN, proxy, or automation process.
Analyze affected user accounts by reviewing azure.signinlogs.properties.user_principal_name to determine if they belong to privileged roles or high-value users. Look for patterns indicating multiple failed attempts across different users, which could suggest a password spraying attempt.
Examine the authentication method used in azure.signinlogs.properties.authentication_details to identify which authentication protocols were attempted and why they failed. Legacy authentication methods may be more susceptible to brute-force attacks.
Review the authentication error codes found in azure.signinlogs.properties.status.error_code to understand why the login attempts failed. Common errors include 50126 for invalid credentials, 50053 for account lockouts, 50055 for expired passwords, and 50056 for users without a password.
Correlate failed logins with other sign-in activity by looking at event.outcome. Identify if there were any successful logins from the same user shortly after multiple failures or if there are different geolocations or device fingerprints associated with the same account.
Review azure.signinlogs.properties.app_id to identify which applications were initiating the authentication attempts. Determine if these applications are Microsoft-owned, third-party, or custom applications and if they are authorized to access the resources.
Check for any conditional access policies that may have been triggered by the failed login attempts by reviewing azure.signinlogs.properties.authentication_requirement. This can help identify if the failed attempts were due to policy enforcement or misconfiguration.

False positive analysis

Common benign scenarios

Automated scripts or applications using non-interactive authentication may trigger this detection, particularly if they rely on legacy authentication protocols recorded in azure.signinlogs.properties.authentication_protocol.
Corporate proxies or VPNs may cause multiple users to authenticate from the same IP, appearing as repeated failed attempts under source.ip.
User account lockouts from forgotten passwords or misconfigured applications may show multiple authentication failures in azure.signinlogs.properties.status.error_code.

How to reduce false positives

Exclude known trusted IPs, such as corporate infrastructure, from alerts by filtering source.ip.
Exlcude known custom applications from azure.signinlogs.properties.app_id that are authorized to use non-interactive authentication.
Ignore principals with a history of failed logins due to legitimate reasons, such as expired passwords or account lockouts, by filtering azure.signinlogs.properties.user_principal_name.
Correlate sign-in failures with password reset events or normal user behavior before triggering an alert.

Response and remediation

Immediate actions

Block the source IP address in source.ip if determined to be malicious.
Reset passwords for all affected user accounts listed in azure.signinlogs.properties.user_principal_name and enforce stronger password policies.
Ensure basic authentication is disabled for all applications using legacy authentication protocols listed in azure.signinlogs.properties.authentication_protocol.
Enable multi-factor authentication (MFA) for impacted accounts to mitigate credential-based attacks.
Review conditional access policies to ensure they are correctly configured to block unauthorized access attempts recorded in azure.signinlogs.properties.authentication_requirement.
Review Conditional Access policies to enforce risk-based authentication and block unauthorized access attempts recorded in azure.signinlogs.properties.authentication_requirement.

Long-term mitigation

Implement a zero-trust security model by enforcing least privilege access and continuous authentication.
Regularly review and update conditional access policies to ensure they are effective against evolving threats.
Restrict the use of legacy authentication protocols by disabling authentication methods listed in azure.signinlogs.properties.client_app_used.
Regularly audit authentication logs in azure.signinlogs to detect abnormal login behavior and ensure early detection of potential attacks.
Regularly rotate client credentials and secrets for applications using non-interactive authentication to reduce the risk of credential theft.

References

®5^òè'�ØÇúswéi¥2<Žñòšæ—æšæ£å7Í÷šw”Ç6›áÒ¹]í¸&õòbÒ@J"jv%GÈV«ŸbZøâG)œ§ã(¾g˜Ý‡øà;@h´z.P-;|pÄÙÎã³×üê%Ø%!ÕüÞYO6äÞÍ.J ß¸º¹¸Õ–²àÔ”Ç…‚Û{¢òø3ÅT¤ÍŸ;¾%Þll†Ä±$=¨e~H¸2ý—gx€â;Ñ™¨Tû;a [u)Òõ¢f³àõj...

Read More