Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Sigma rule (View on GitHub)
1title: Potential MFA Bypass Using Legacy Client Authentication
2id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
3status: test
4description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
5references:
6 - https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
7 - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
8author: Harjot Singh, '@cyb3rjy0t'
9date: 2023-03-20
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.initial-access
15 - attack.credential-access
16 - attack.t1078.004
17 - attack.t1110
18logsource:
19 product: azure
20 service: signinlogs
21detection:
22 selection:
23 Status: 'Success'
24 userAgent|contains:
25 - 'BAV2ROPC'
26 - 'CBAinPROD'
27 - 'CBAinTAR'
28 condition: selection
29falsepositives:
30 - Known Legacy Accounts
31level: high
References
-
-
This blog discusses DART’s investigation techniques and approach to responding to password spray attacks while outlining recommendations for protecting against them.
Read More
Related rules
- Bitbucket User Login Failure
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied
- Multifactor Authentication Interrupted
- Sign-in Failure Due to Conditional Access Requirements Not Met