Entra ID Concurrent Sign-in with Suspicious Properties
This rule identifies concurrent Azure sign-in events for the same user from multiple sources, where at least one authentication event exhibits suspicious properties associated with DeviceCode and OAuth phishing, potentially indicating refresh token theft.
This detection identifies suspicious concurrent sign-in activity within an Azure Entra ID environment. Specifically, it focuses on scenarios where the same user account initiates sign-in events from multiple source IP addresses within a short timeframe (60 minutes). The rule further refines this detection by flagging instances where at least one of these concurrent sign-in attempts exhibits characteristics associated with Device Code authentication or access to Microsoft Graph via Visual Studio Code, both of which can be exploited in OAuth phishing attacks to steal refresh tokens. This technique allows attackers to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. The rule leverages Azure sign-in logs and requires the Azure logs integration to be enabled and configured to collect all logs, including sign-in logs from Entra.
Attack Chain
- Initial Access: The attacker initiates a phishing campaign targeting users with access to Azure resources (T1566.002). The phishing email contains a link that directs the user to a malicious OAuth application consent page.
- Credential Access: The user, believing the consent page is legitimate, grants the malicious application access to their account (T1528). The attacker obtains a refresh token upon successful consent.
- Defense Evasion: The attacker uses the stolen refresh token to authenticate to Azure services, bypassing MFA if the token has not been revoked (T1550.001).
- Valid Accounts: The attacker leverages the valid user account and stolen refresh token to access cloud resources (T1078.004).
- Use Alternate Authentication Material: The attacker uses the refresh token to request access tokens for various Azure services without needing to re-authenticate or trigger MFA (T1550.001).
- Persistence: The attacker maintains persistent access to the Azure environment as long as the refresh token remains valid and is not revoked by the legitimate user or Azure administrator.
- Privilege Escalation (Potential): Depending on the permissions associated with the compromised account, the attacker may attempt to escalate privileges within the Azure environment.
- Impact: The attacker gains unauthorized access to sensitive data, applications, or infrastructure within the Azure environment, potentially leading to data exfiltration, service disruption, or financial loss.
Impact
Successful exploitation can lead to unauthorized access to sensitive cloud resources, potentially affecting any organization leveraging Azure Entra ID for identity and access management. The number of victims depends on the scope of the phishing campaign and the level of access granted to compromised accounts. This attack can result in data breaches, financial losses, and reputational damage. The primary targets are organizations that rely heavily on Azure services and have not implemented adequate security measures to prevent OAuth phishing attacks or detect refresh token theft.
Recommendation
- Deploy the provided Sigma rule
Entra ID Concurrent Sign-in with Suspicious Propertiesto your SIEM to detect potential refresh token theft attempts (seerulessection). - Review and harden Conditional Access policies to restrict access to trusted locations or devices only, mitigating the risk of future PRT abuse, as mentioned in the references and triage notes.
- Configure alerts for unusual sign-in patterns or device code authentication attempts from unexpected locations or devices, improving early detection of similar threats, referencing the triage notes.
- Ensure the Azure logs integration is enabled and configured to collect all logs, including sign-in logs from Entra, as outlined in the
setupsection. - Investigate any alerts generated by the Sigma rule by reviewing the sign-in logs, assessing the context and reputation of the source.ip address, and checking for any recent changes or anomalies in the user's account settings or permissions.
Detection coverage 2
Entra ID Concurrent Sign-in with Suspicious Properties
highDetects concurrent Azure sign-in events with suspicious properties indicative of OAuth phishing or device code abuse.
Entra ID Sign-in from Multiple IPs
mediumDetects sign-in events from multiple distinct IP addresses for the same user account within a short period, potentially indicating account compromise.
Detection queries are available on the platform. Get full rules →