Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent

This detection rule identifies potentially malicious sign-in activity within Microsoft Entra ID. It focuses on instances where the Microsoft Authentication Broker is used with a non-standard user agent. Attackers employing adversary-in-the-middle (AitM) or OAuth phishing techniques often relay or script user agents that deviate from typical browser, mobile, or Windows platform clients. By using tools such as Node.js, Python, or generic HTTP libraries, attackers can target first-party resources through the broker while masking their true identity. Successful exploitation allows attackers to steal credentials or gain unauthorized access to cloud resources. This activity warrants immediate investigation to prevent further compromise.

Attack Chain

1. The attacker sets up an OAuth phishing attack targeting Microsoft 365 users, as outlined in Volexity’s research.
2. A user clicks on a malicious link, initiating an authentication flow through the attacker’s infrastructure.
3. The attacker intercepts the authentication request and relays it to the legitimate Microsoft Authentication Broker.
4. The attacker presents a non-standard user agent string, such as one generated by a Python script or Node.js application, during the authentication process.
5. The Microsoft Authentication Broker authenticates the request despite the unusual user agent.
6. The attacker steals the web session cookie (T1539) or obtains a primary refresh token (PRT).
7. The attacker uses the stolen credentials or PRT to access protected resources within the target’s Entra ID environment.
8. The attacker performs actions such as reading email, accessing files, or compromising other cloud services.

Impact

Compromised credentials can lead to unauthorized access to sensitive data and resources within Microsoft Entra ID. Attackers can gain access to email, files, and other cloud services, potentially resulting in data theft, financial loss, or reputational damage. The use of non-standard user agents can bypass traditional security measures, allowing attackers to remain undetected for extended periods. This type of attack can affect organizations of any size that rely on Microsoft Entra ID for identity and access management.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect Entra ID sign-in activity with non-standard user agents and tune for your environment.
• Investigate alerts generated by the Sigma rule, focusing on azure.signinlogs.properties.user_principal_name, user_agent.original, and source.ip.
• Baseline approved service principals, managed identities, and developer tooling to reduce false positives (see false_positives in rule definition).
• Revoke refresh tokens for compromised user accounts and reset credentials per policy (see Triage and analysis section).
• Implement conditional access policies to restrict access based on user agent, location, and device compliance.
• Monitor device registration audit events for newly registered devices associated with suspicious sign-ins (see Triage and analysis section).
• Correlate azure.signinlogs.properties.session_id with other sign-ins, device registration audit events, or Graph activity in the same time window (see Triage and analysis section).