Entra ID OAuth User Impersonation Scope for Unusual User and Client
Adversaries may abuse the user_impersonation OAuth scope in Entra ID to gain unauthorized access to user accounts, especially when combined with single-factor authentication and unbound sign-in sessions, potentially indicating account compromise for users not seen in the last 10 days.
This detection rule identifies rare occurrences of OAuth workflows in Entra ID where a user principal utilizes single-factor authentication with the 'user_impersonation' OAuth scope. Attackers can exploit this scope to access user accounts without proper authorization, particularly when the sign-in session is unbound, meaning it lacks association with a specific device. The rule focuses on sign-in events where the sign-in session status is unbound, the user type is 'Member', and the sign-in outcome is a success. The rule flags when this pattern is detected for a user principal that has not been seen in the last 10 days, indicating potential abuse or unusual activity. This activity is tracked via Azure Sign-in logs.
Attack Chain
- An attacker compromises a user account or obtains credentials.
- The attacker registers or compromises an application within Entra ID, or uses a FOCI application.
- The attacker initiates an OAuth workflow requesting the
user_impersonationscope. - The user authenticates using single-factor authentication.
- The Entra ID issues an access token with the requested scope for a session marked as 'unbound'.
- The attacker uses the access token to impersonate the user.
- The attacker gains unauthorized access to resources and data normally accessible by the user.
- The attacker performs actions such as reading email, accessing files, or modifying configurations within the Entra ID environment.
Impact
Successful exploitation can lead to unauthorized access to sensitive user data, privilege escalation, and lateral movement within the Entra ID environment. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the permissions granted to the compromised user account and the resources accessible with the 'user_impersonation' scope. Organizations may experience significant disruptions to their cloud services and productivity if user accounts are compromised.
Recommendation
- Deploy the Sigma rule "Entra ID OAuth User Impersonation Scope for Unusual User and Client" to your SIEM and tune for your environment to detect potential account compromise (rules section).
- Investigate any alerts generated by the Sigma rule, focusing on unusual user principals and application combinations.
- Review Azure Sign-in logs for authentication events matching the criteria described in the overview.
- Enforce multi-factor authentication (MFA) for all users to mitigate the risk of single-factor authentication abuse.
- Monitor the app_id values in the query section and add your own exclusions as false positives are discovered (rules section).
- Implement conditional access policies to restrict access based on device compliance, location, and other factors.
- Educate users about the risks associated with OAuth user impersonation and the importance of strong authentication practices.
Detection coverage 2
Entra ID OAuth User Impersonation Scope for Unusual User and Client
mediumDetects OAuth workflow for a user principal that is single factor authenticated, with an OAuth scope containing user_impersonation and unbound sign-in session.
Entra ID Single Factor Auth with Unusual Application
lowDetects when single factor authentication is used with an unusual application
Detection queries are available on the platform. Get full rules →