Suspicious Entra ID OAuth User Impersonation Scope Detected

  1[metadata]
  2creation_date = "2025/07/03"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/07/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies rare occurrences of OAuth workflow for a user principal that is single factor authenticated, with an OAuth
 11scope containing user_impersonation for a token issued by Entra ID. Adversaries may use this scope to gain unauthorized
 12access to user accounts, particularly when the sign-in session status is unbound, indicating that the session is not
 13associated with a specific device or session. This behavior is indicative of potential account compromise or
 14unauthorized access attempts. This rule flags when this pattern is detected for a user principal that has not been seen
 15in the last 10 days, indicating potential abuse or unusual activity.
 16"""
 17from = "now-9m"
 18index = ["filebeat-*", "logs-azure.signinlogs-*"]
 19language = "kuery"
 20license = "Elastic License v2"
 21name = "Suspicious Entra ID OAuth User Impersonation Scope Detected"
 22note = """## Triage and Analysis
 23
 24### Investigating Suspicious Entra ID OAuth User Impersonation Scope Detected
 25
 26Identifies rare occurrences of OAuth workflow for a user principal that is single factor authenticated, with an OAuth scope containing `user_impersonation`, and a token issuer type of `AzureAD`. This rule is designed to detect suspicious
 27OAuth user impersonation attempts in Microsoft Entra ID, particularly those involving the `user_impersonation` scope, which is often used by adversaries to gain unauthorized access to user accounts. The rule focuses on sign-in events where
 28the sign-in session status is `unbound`, indicating that the session is not associated with a specific device or session, making it more vulnerable to abuse. This behavior is indicative of potential account compromise or
 29unauthorized access attempts, especially when the user type is `Member` and the sign-in outcome is `success`. The rule aims to identify these events to facilitate timely investigation and response to potential security incidents. This is a New Terms rule that flags when this pattern is detected for a user principal that has not been seen in the last 10 days, indicating potential abuse or unusual activity.
 30
 31### Possible investigation steps
 32
 33- Review the `azure.signinlogs.properties.user_principal_name` field to identify the user principal involved in the OAuth workflow.
 34- Check the `azure.signinlogs.properties.authentication_processing_details.Oauth Scope Info` field for the presence of `user_impersonation`. This scope is commonly used in OAuth flows to allow applications to access user resources on behalf of the user.
 35- Confirm that the `azure.signinlogs.properties.authentication_requirement` is set to `singleFactorAuthentication`, indicating that the sign-in did not require multi-factor authentication (MFA). This can be a red flag, as MFA is a critical security control that helps prevent unauthorized access.
 36- Review the `azure.signinlogs.properties.app_display_name` or `azure.signinlogs.properties.app_id` to identify the application involved in the OAuth workflow. Check if this application is known and trusted, or if it appears suspicious or unauthorized. FOCI applications are commonly abused by adversaries to evade security controls or conditional access policies.
 37- Analyze the `azure.signinlogs.properties.client_ip` to determine the source of the sign-in attempt. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior.
 38- Examine the `azure.signinlogs.properties.resource_display_name` or `azure.signinlogs.properties.resource_id` to identify the resource being accessed during the OAuth workflow. This can help determine if the access was legitimate or if it targeted sensitive resources. It may also help pivot to other related events or activities.
 39- Use the `azure.signinlogs.properties.session_id` or `azure.signinlogs.properties.correlation_id` to correlate this event with other related sign-in events or activities. This can help identify patterns of suspicious behavior or potential account compromise.
 40
 41### False positive analysis
 42
 43- Some legitimate applications may use the `user_impersonation` scope for valid purposes, such as accessing user resources on behalf of the user. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
 44- Users may occasionally authenticate using single-factor authentication for specific applications or scenarios, especially in environments where MFA is not enforced or required. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user principals or applications.
 45- Some applications may use the `user_impersonation` scope for legitimate purposes, such as accessing user resources in a controlled manner. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
 46
 47### Response and remediation
 48
 49- Contact the user to validate the OAuth workflow and assess whether they were targeted or tricked by a malicious actor.
 50- If the OAuth workflow is confirmed to be malicious:
 51  - Block the user account and reset the password to prevent further unauthorized access.
 52  - Revoke active sessions and refresh tokens associated with the user principal.
 53  - Review the application involved in the OAuth workflow and determine if it should be blocked or removed from the tenant.
 54  - Investigate the source of the sign-in attempt, including the application and IP address, to determine if there are any additional indicators of compromise or ongoing malicious activity.
 55  - Monitor the user account and related resources for any further suspicious activity or unauthorized access attempts, and take appropriate actions to mitigate any risks identified.
 56- Educate users about the risks associated with OAuth user impersonation and encourage them to use more secure authentication methods, such as OAuth 2.0 or OpenID Connect, whenever possible.
 57"""
 58references = [
 59    "https://github.com/Flangvik/TeamFiltration",
 60    "https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign",
 61]
 62risk_score = 47
 63rule_id = "9563dace-5822-11f0-b1d3-f661ea17fbcd"
 64severity = "medium"
 65tags = [
 66    "Domain: Cloud",
 67    "Domain: Identity",
 68    "Use Case: Threat Detection",
 69    "Data Source: Azure",
 70    "Data Source: Microsoft Entra ID",
 71    "Data Source: Microsoft Entra ID Sign-In Logs",
 72    "Tactic: Defense Evasion",
 73    "Tactic: Initial Access",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "new_terms"
 78
 79query = '''
 80event.dataset: azure.signinlogs and
 81    azure.signinlogs.properties.authentication_processing_details: *user_impersonation* and
 82    azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication" and
 83    azure.signinlogs.properties.token_issuer_type: "AzureAD" and
 84    azure.signinlogs.properties.token_protection_status_details.sign_in_session_status: "unbound" and
 85    azure.signinlogs.properties.user_type: "Member" and
 86    event.outcome: "success"
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1550"
 94name = "Use Alternate Authentication Material"
 95reference = "https://attack.mitre.org/techniques/T1550/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1550.001"
 98name = "Application Access Token"
 99reference = "https://attack.mitre.org/techniques/T1550/001/"
100
101
102
103[rule.threat.tactic]
104id = "TA0005"
105name = "Defense Evasion"
106reference = "https://attack.mitre.org/tactics/TA0005/"
107
108[rule.new_terms]
109field = "new_terms_fields"
110value = ["azure.signinlogs.properties.user_principal_name", "azure.signinlogs.properties.app_id"]
111[[rule.new_terms.history_window_start]]
112field = "history_window_start"
113value = "now-10d"