Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource

Attackers are increasingly abusing the Microsoft Authentication Broker (MAB) in phishing and token broker flows to gain unauthorized access to Entra ID resources. This involves manipulating the broker to request tokens for APIs or enterprise applications that are not part of the expected first-party targets. This technique allows attackers to bypass traditional authentication controls and gain access to sensitive data or services. This activity is notable because legitimate use of MAB should typically target a limited set of Microsoft services like Azure Active Directory, Microsoft Graph, Device Registration Service, and Microsoft Intune Enrollment. This detection rule focuses on identifying sign-in attempts where MAB is used to access resources outside of this expected scope.

Attack Chain

1. The attacker compromises a user’s credentials or session.
2. The attacker initiates a sign-in request using the Microsoft Authentication Broker (MAB). The MAB client application ID is 29d9ed98-a469-4536-ade2-f981bc1d605e.
3. The attacker crafts the request to target a resource identifier outside the typical first-party Microsoft services (e.g., an unusual API or enterprise application).
4. The MAB validates the user’s identity.
5. If successful, the MAB issues an access token for the requested resource.
6. The attacker uses the acquired access token to access the targeted resource, potentially gaining unauthorized access to data or services.
7. The attacker performs malicious actions, such as data exfiltration or privilege escalation, within the compromised resource.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, compromised user accounts, and potential data breaches. Attackers can use the access tokens obtained through this method to perform a wide range of malicious activities, including data exfiltration, lateral movement, and privilege escalation within the Entra ID environment. The scope of the impact depends on the permissions and access levels associated with the compromised user account and the targeted resource.

Recommendation

• Enable Microsoft Entra ID sign-in logs (logs-azure.signinlogs-*) and ensure they include azure.signinlogs.properties.app_id and azure.signinlogs.properties.resource_id as mentioned in the setup instructions.
• Deploy the Sigma rule “Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource” to your SIEM to detect suspicious sign-in attempts. Tune the exclusion list for first-party resource identifiers your tenant expects from the Microsoft Authentication Broker (MAB).
• Investigate any alerts generated by the Sigma rule, focusing on azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.resource_id, azure.signinlogs.properties.resource_display_name, azure.signinlogs.properties.session_id, source.ip, and user_agent.original.
• Review conditional access policies and risk detections for users exhibiting this behavior as described in the Triage section of this brief.