M365 Identity Unusual SSO Authentication Errors for User

  1[metadata]
  2creation_date = "2021/05/17"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/02/04"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies the first occurrence of SSO, SAML, or federated authentication errors for a user. These errors may indicate
 11token manipulation, SAML assertion tampering, or OAuth phishing attempts. Modern adversaries often target SSO mechanisms
 12through token theft, SAML response manipulation, or exploiting federated authentication weaknesses rather than
 13traditional brute force attacks.
 14"""
 15false_positives = [
 16    """
 17    Initial SSO configuration issues or first-time federation setup errors for legitimate users may trigger this
 18    detection. Temporary federation service outages affecting multiple users simultaneously.
 19    """,
 20]
 21from = "now-9m"
 22index = ["logs-o365.audit-*", "filebeat-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "M365 Identity Unusual SSO Authentication Errors for User"
 26note = """## Triage and analysis
 27
 28### Investigating M365 Identity Unusual SSO Authentication Errors for User
 29
 30SSO, SAML, and federated authentication mechanisms are critical infrastructure for modern identity access. Adversaries increasingly
 31target these systems through token manipulation, SAML response tampering, OAuth phishing, and exploitation of federated trust
 32relationships rather than traditional credential brute forcing. This detection identifies when a user experiences SSO-related
 33authentication errors that are unusual for their typical behavior, which may indicate an attacker attempting to abuse stolen tokens or manipulate
 34authentication flows.
 35
 36### Possible investigation steps
 37
 38- Review the specific error code(s) in the `o365.audit.ErrorNumber` field to understand the nature of the authentication failure
 39  (e.g., token signature failure, SAML assertion tampering, cross-tenant token misuse). Reference Microsoft's AADSTS error codes
 40  at https://login.microsoftonline.com/error?code=<ErrorNumber> for detailed descriptions.
 41- Examine the source IP address and geolocation of the authentication attempt - compare against the user's typical login patterns.
 42- Check for concurrent authentication activity from the same user - multiple SSO errors alongside successful logins may indicate
 43  token replay or session hijacking attempts.
 44- Investigate recent OAuth application consent activity for this user - OAuth phishing campaigns often precede SSO manipulation attempts.
 45- Review the target application or service principal being accessed during the failed authentication to identify potential attacker objectives.
 46- Analyze the user's recent mailbox activity, particularly for phishing emails with OAuth consent links or suspicious authentication requests.
 47- Check for any recent changes to the user's federation settings, registered devices, or authentication methods.
 48- Correlate with Entra ID risky sign-in detections and risky user alerts for the same account.
 49
 50### False positive analysis
 51
 52- First-time SSO setup: Users configuring SSO access to a new federated application may encounter initial authentication errors.
 53  Validate whether the errors occurred during expected onboarding windows.
 54- Federation service outages: Widespread SSO errors affecting multiple users simultaneously often indicate infrastructure issues
 55  rather than targeted attacks. Check for service health incidents in the same timeframe.
 56- Certificate rotation: Federated authentication certificate renewals can temporarily cause signature validation errors. Verify
 57  if the errors align with planned certificate maintenance.
 58- Legitimate cross-tenant access: Users with business relationships across multiple tenants may encounter cross-tenant policy
 59  errors during authorized access attempts.
 60
 61### Response and remediation
 62
 63- If token manipulation or SAML tampering is suspected, immediately revoke all active sessions and refresh tokens for the affected user.
 64- Review and audit all OAuth application consents granted by the user - remove any suspicious or unrecognized applications.
 65- Enable Conditional Access policies requiring compliant devices and MFA for SSO authentication if not already enforced.
 66- If cross-tenant token misuse is detected, review and restrict external collaboration settings and cross-tenant access policies.
 67- For SAML assertion or signature errors, validate the integrity of federation trust certificates and metadata.
 68- Investigate whether the user's credentials have been compromised - enforce password reset if credential theft is suspected.
 69- Review Entra ID audit logs for unusual application registrations, service principal modifications, or federation setting changes.
 70- Escalate to the security operations team if evidence suggests active token theft, SAML Golden Ticket techniques, or OAuth phishing campaigns."""
 71references = [
 72    "https://techcommunity.microsoft.com/blog/microsoft-entra-blog/understanding-and-mitigating-golden-saml-attacks/4418864",
 73    "https://www.semperis.com/blog/meet-silver-saml/"
 74]
 75risk_score = 47
 76rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0"
 77severity = "medium"
 78tags = [
 79    "Domain: Identity",
 80    "Data Source: Microsoft 365",
 81    "Data Source: Microsoft 365 Audit Logs",
 82    "Use Case: Identity and Access Audit",
 83    "Use Case: Threat Detection",
 84    "Tactic: Initial Access",
 85    "Resources: Investigation Guide",
 86]
 87timestamp_override = "event.ingested"
 88type = "new_terms"
 89
 90query = '''
 91event.dataset:o365.audit
 92    and event.provider:AzureActiveDirectory
 93    and event.category:authentication
 94    and o365.audit.ErrorNumber:(
 95        20001 or 20012 or 20033 or 40008 or 40009 or 40015 or
 96        50006 or 50008 or 50012 or 50013 or 50027 or 50048 or
 97        50099 or 50132 or 75005 or 75008 or 75011 or 75016 or
 98        81004 or 81009 or 81010 or 399284 or 500212 or 500213 or
 99        700005 or 5000819
100    )
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1078"
108name = "Valid Accounts"
109reference = "https://attack.mitre.org/techniques/T1078/"
110[[rule.threat.technique.subtechnique]]
111id = "T1078.004"
112name = "Cloud Accounts"
113reference = "https://attack.mitre.org/techniques/T1078/004/"
114
115
116[[rule.threat.technique]]
117id = "T1566"
118name = "Phishing"
119reference = "https://attack.mitre.org/techniques/T1566/"
120
121
122[rule.threat.tactic]
123id = "TA0001"
124name = "Initial Access"
125reference = "https://attack.mitre.org/tactics/TA0001/"
126
127[rule.new_terms]
128field = "new_terms_fields"
129value = ["o365.audit.UserId", "o365.audit.ErrorNumber"]
130[[rule.new_terms.history_window_start]]
131field = "history_window_start"
132value = "now-10d"