Azure Login Bypassing Conditional Access Policies

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Sigma rule (View on GitHub)

 1title: Azure Login Bypassing Conditional Access Policies
 2id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
 3status: experimental
 4description: |
 5        Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
 6author: Josh Nickels, Marius Rothenbücher
 7references:
 8    - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
 9    - https://github.com/JumpsecLabs/TokenSmith
10date: 2025-01-08
11tags:
12    - attack.defense-evasion
13    - attack.t1078
14logsource:
15    service: audit
16    product: m365
17detection:
18    selection:
19        Operation: 'UserLoggedIn'
20        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
21        ResultStatus: 'Success'
22        RequestType: 'Cmsi:Cmsi'
23    filter_main_bjectid:
24        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
25    condition: selection and not 1 of filter_main_*
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top