-
Microsoft Entra ID Suspicious Session Reuse to Graph Access
Aug 29, 2025 · Domain: Cloud Domain: Identity Domain: API Data Source: Azure Data Source: Microsoft Entra ID Data Source: Microsoft Entra ID Sign-In Logs Data Source: Microsoft Graph Data Source: Microsoft Graph Activity Logs Use Case: Identity and Access Audit Use Case: Threat Detection Resources: Investigation Guide Tactic: Defense Evasion Tactic: Initial Access ·Identifies potential session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID. This may indicate a successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location.
Read More