Entra ID User Sign-in with Unusual Client Application
Adversaries with stolen credentials or OAuth tokens may abuse Entra ID-managed or first-party client IDs to perform on-behalf-of (OBO) authentication, blending into legitimate cloud traffic and evading detection by using a rare application ID for principal authentication.
This detection identifies rare non-interactive sign-ins where an Entra ID client application authenticates on behalf of a principal user using an application (client) ID that is not commonly associated with that user’s historical sign-in behavior. The technique is commonly observed in OAuth phishing, token theft, and access broker operations, and may precede lateral movement, persistence, or data access via Microsoft Graph or other cloud resources. Attackers with compromised credentials or OAuth tokens may exploit Entra ID managed or first-party client IDs to perform on-behalf-of (OBO) authentication, effectively camouflaging within legitimate cloud traffic and bypassing conventional interactive sign-in procedures. The rule uses a New Terms approach to identify first-seen combinations of the UPN and Client ID within a defined history window, helping surface unexpected client usage that may indicate compromised identities, malicious automation, or unauthorized application impersonation.
Attack Chain
- An attacker gains initial access through credential theft or OAuth token compromise (T1528).
- The attacker attempts to authenticate to Entra ID using the stolen credentials or token (T1078).
- The attacker uses a non-interactive sign-in method to bypass multi-factor authentication (MFA).
- The attacker leverages an Entra ID-managed or first-party client application ID for on-behalf-of (OBO) authentication (T1550.001).
- The attacker leverages an unusual client application ID that is not commonly associated with the user's sign-in history.
- Upon successful authentication, the attacker attempts to access cloud resources via Microsoft Graph or other cloud services.
- The attacker performs lateral movement, persistence, or data access activities.
- The attacker achieves their objective, such as data exfiltration or system compromise.
Impact
A successful attack can lead to unauthorized access to sensitive data, lateral movement within the cloud environment, and potential compromise of the entire organization. By bypassing MFA and blending into legitimate traffic, attackers can remain undetected for extended periods, increasing the potential for significant damage. The rule aims to detect the initial stages of such attacks, allowing for timely intervention and mitigation.
Recommendation
- Deploy the Sigma rule "Entra ID User Sign-in with Unusual Client" to your SIEM and tune for your environment to detect the initial access attempts leveraging unusual client applications.
- Investigate any alerts generated by the Sigma rule "Entra ID User Sign-in with Unusual Client" to determine the scope and impact of the potential compromise.
- Review the authentication logs in
azure.signinlogsfor any unusual sign-in activity, especially focusing on non-interactive sign-ins with unfamiliar application IDs. - Enable multi-factor authentication (MFA) for all user accounts to mitigate credential-based attacks.
- Review Conditional Access policies to ensure they are correctly configured to block unauthorized access attempts recorded in
azure.signinlogs.properties.authentication_requirement. - Restrict the use of legacy authentication protocols by disabling authentication methods listed in
azure.signinlogs.properties.client_app_used.
Detection coverage 2
Entra ID User Sign-in with Unusual Client
mediumDetects rare non-interactive sign-ins with a client application ID that is not commonly associated with the user.
Entra ID Non-Interactive Sign-in from Unfamiliar Country
lowDetects non-interactive sign-ins to Entra ID from countries not usually associated with the user.
Detection queries are available on the platform. Get full rules →