Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Sigma rule (View on GitHub)
1title: Potential MFA Bypass Using Legacy Client Authentication
2id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
3status: test
4description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
5references:
6 - https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
7 - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
8author: Harjot Singh, '@cyb3rjy0t'
9date: 2023-03-20
10tags:
11 - attack.initial-access
12 - attack.credential-access
13 - attack.t1078.004
14 - attack.t1110
15logsource:
16 product: azure
17 service: signinlogs
18detection:
19 selection:
20 Status: 'Success'
21 userAgent|contains:
22 - 'BAV2ROPC'
23 - 'CBAinPROD'
24 - 'CBAinTAR'
25 condition: selection
26falsepositives:
27 - Known Legacy Accounts
28level: high
References
-
-
This blog discusses DART’s investigation techniques and approach to responding to password spray attacks while outlining recommendations for protecting against them.
Read More
Related rules
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied
- Multifactor Authentication Interrupted
- Sign-in Failure Due to Conditional Access Requirements Not Met
- Successful Authentications From Countries You Do Not Operate Out Of