Skip to content
Threat Feed
medium advisory

Entra ID Sign-in Brute Force Attempt Against Microsoft 365

A high volume of failed Microsoft Entra ID sign-in attempts against Microsoft 365 services within a short time period indicates a potential brute-force attack, which could lead to unauthorized access to Microsoft 365 services.

This detection identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. The detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. The rule specifically monitors sign-in logs for failures against Microsoft 365 resources, excluding specific error codes like 50053, associated with MFA issues, to reduce false positives. This activity is commonly seen in password spraying campaigns, such as those documented targeting M365 users as reported by SecurityScorecard. Successful brute force attempts can give adversaries access to sensitive data and services within the Microsoft 365 environment.

Attack Chain

  1. The attacker identifies valid Microsoft 365 usernames through OSINT or enumeration techniques.
  2. The attacker initiates authentication requests against Microsoft 365 services, such as Exchange Online, SharePoint, or Teams, using the identified usernames.
  3. The attacker attempts multiple sign-in attempts with various password combinations, potentially leveraging password lists or common password patterns.
  4. Microsoft Entra ID logs failed sign-in attempts, capturing details such as the user principal name, source IP address, error codes, and application display name.
  5. The detection rule analyzes the Entra ID sign-in logs, grouping failed attempts by time window and identifying patterns indicative of brute-force attacks, such as a high volume of failures, distinct usernames, or common error codes.
  6. If the attacker guesses a valid password, they successfully authenticate and gain access to the targeted Microsoft 365 service.
  7. The attacker uses compromised credentials to access sensitive data, perform unauthorized actions, or move laterally within the Microsoft 365 environment.

Impact

A successful brute-force attack can lead to unauthorized access to Microsoft 365 services, including email, file storage, and collaboration platforms. The impact can include data breaches, financial losses, reputational damage, and business disruption. The elastic rule's risk score is 47, and the severity is rated as medium, reflecting the potential for significant harm. Organizations can prevent initial access and lateral movement by using modern authentication methods like MFA.

Recommendation

  • Deploy the provided Sigma rule to your SIEM and tune the thresholds (e.g., event counts, time windows) to match your environment's baseline activity and risk tolerance.
  • Investigate alerts generated by the Sigma rules by examining the user_id_list, ip_list, and user_agent.original fields to identify the targeted accounts, source IP addresses, and client applications involved in the brute-force attempts.
  • Review and enforce multi-factor authentication (MFA) policies across your Microsoft 365 environment to mitigate the risk of credential compromise.
  • Enable logging for Entra ID sign-in logs to collect the necessary data for the detection rule to function.
  • Implement account lockout policies to automatically disable accounts after a certain number of failed login attempts.

Detection coverage 2

Entra ID Sign-in Brute Force - Single IP Multiple Users

medium

Detects brute force attacks against multiple Entra ID users from a single IP address, indicative of password spraying.

sigma tactics: credential_access techniques: T1110.003 sources: network_connection, azure

Entra ID Sign-in Brute Force - Single User Multiple IPs

medium

Detects brute force attempts against a single Entra ID user from multiple IP addresses, potentially indicating credential stuffing.

sigma tactics: credential_access techniques: T1110.003 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →