Data Source: Entra ID Sign-in

Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

Jun 10, 2025 · Domain: Cloud Domain: SaaS Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.

Potential Microsoft 365 Brute Force via Entra ID Sign-Ins

May 28, 2025 · Domain: Cloud Domain: SaaS Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to Microsoft 365 services such as Exchange Online, SharePoint, or Teams.

Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties

May 6, 2025 · Domain: Cloud Domain: SaaS Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies concurrent azure signin events for the same user and from multiple sources, and where one of the authentication event has some suspicious properties often associated to DeviceCode and OAuth phishing. Adversaries may steal Refresh Tokens (RTs) via phishing to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources.

Azure Entra ID Password Spraying (Non-Interactive SFA)

Mar 20, 2025 · Domain: Cloud Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies potential brute-force (password spraying) attempts against Azure Entra ID user accounts by detecting a high number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services. Non-interactive SFA login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from acquired credentials via phishing, infostealers, or other means.

Azure Entra MFA TOTP Brute Force Attempts

Mar 20, 2025 · Domain: Cloud Domain: SaaS Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide ·

Share on:

Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span. Adversaries with valid credentials, when attempting to login to Azure portal or other Azure services, may be prompted to provide a TOTP code as part of the MFA process. If successful, adversaries can bypass MFA and gain unauthorized access to Azure resources.

Azure Entra ID Rare App ID for Principal Authentication

Mar 11, 2025 · Domain: Cloud Data Source: Azure Data Source: Entra ID Data Source: Entra ID Sign-in Use Case: Identity and Access Audit Use Case: Threat Detection Tactic: Initial Access Resources: Investigation Guide ·

Share on:

Identifies rare Azure Entra ID apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity.