Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Sigma rule (View on GitHub)
1title: Azure Login Bypassing Conditional Access Policies
2id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
3status: experimental
4description: |
5 Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
6author: Josh Nickels, Marius Rothenbücher
7references:
8 - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
9 - https://github.com/JumpsecLabs/TokenSmith
10date: 2025-01-08
11tags:
12 - attack.defense-evasion
13 - attack.t1078
14logsource:
15 service: audit
16 product: m365
17detection:
18 selection:
19 Operation: 'UserLoggedIn'
20 ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
21 ResultStatus: 'Success'
22 RequestType: 'Cmsi:Cmsi'
23 filter_main_bjectid:
24 ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow