Azure Login Bypassing Conditional Access Policies

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.initial-access attack.defense-evasion attack.t1078  ·
Share on: linkedin copy

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Sigma rule (View on GitHub)

 1title: Azure Login Bypassing Conditional Access Policies
 2id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
 3status: experimental
 4description: |
 5        Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
 6author: Josh Nickels, Marius Rothenbücher
 7references:
 8    - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
 9    - https://github.com/JumpsecLabs/TokenSmith
10date: 2025-01-08
11tags:
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.initial-access
15    - attack.defense-evasion
16    - attack.t1078
17logsource:
18    service: audit
19    product: m365
20detection:
21    selection:
22        Operation: 'UserLoggedIn'
23        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
24        ResultStatus: 'Success'
25        RequestType: 'Cmsi:Cmsi'
26    filter_main_bjectid:
27        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
28    condition: selection and not 1 of filter_main_*
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top