Skip to content
Threat Feed
medium advisory

Entra ID OAuth User Impersonation to Microsoft Graph

This rule detects potential session hijacking or token replay in Microsoft Entra ID, identifying cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID, which may indicate a successful OAuth phishing attack, session hijacking, or token replay attack.

This detection rule identifies potential session hijacking or token replay attacks targeting Microsoft Entra ID. It focuses on detecting instances where a user authenticates and then accesses Microsoft Graph from a different IP address while utilizing the same session ID. This behavior can be indicative of a successful OAuth phishing attack, session hijacking, or token replay, where an attacker has compromised a session cookie or refresh/access token, enabling them to impersonate the user from an alternative host or geographic location. This activity allows the attacker to access resources and data through the compromised user’s account, potentially leading to data breaches or unauthorized actions. Defenders should investigate rapid IP switching and Graph access to determine if the activity is legitimate. The detection leverages Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs.

Attack Chain

  1. The attacker sends a phishing email to a target user with a malicious link to an OAuth application.
  2. The user clicks the link and grants permissions to the attacker-controlled OAuth application.
  3. The attacker steals the session cookie or refresh/access token.
  4. The attacker uses the stolen credentials from a different IP address to authenticate to Microsoft Graph.
  5. The attacker makes API calls to Microsoft Graph to access sensitive data, such as emails, files, and contacts.
  6. The attacker may exfiltrate the stolen data to an external server.
  7. The attacker attempts to maintain persistent access by refreshing the access token.

Impact

Successful exploitation can lead to unauthorized access to sensitive data within Microsoft 365, including emails, files, and contacts. This can result in data breaches, financial loss, and reputational damage. The rule is estimated to have a medium severity due to the potential impact on data confidentiality and integrity, as well as the risk of lateral movement within the compromised environment.

Recommendation

  • Deploy the Sigma rule Detect Entra ID OAuth User Impersonation via IP Address to your SIEM and tune for your environment to identify potential session hijacking or token replay attacks.
  • Investigate any alerts generated by the Sigma rule, focusing on users who have recently signed in from multiple IP addresses within a short period of time.
  • Enable Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs as required by the rule setup notes to provide the necessary data for detection.
  • Revoke all refresh/access tokens for any user principal confirmed to be malicious, as noted in the rule’s triage and analysis guidance.

Detection coverage 2

Detect Entra ID OAuth User Impersonation via IP Address

medium

Detects potential OAuth user impersonation in Entra ID by identifying sign-in events followed by Microsoft Graph access from different IP addresses using the same session ID.

sigma tactics: defense_evasion, initial_access techniques: T1078.004 sources: network_connection, windows

Detect Entra ID OAuth User Impersonation via ASN

medium

Detects potential OAuth user impersonation in Entra ID by identifying sign-in events followed by Microsoft Graph access from different ASNs using the same session ID.

sigma tactics: defense_evasion, initial_access techniques: T1078.004 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →