{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/entra-id/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Entra ID"],"_cs_severities":["high"],"_cs_tags":["azure","entra_id","credential_access","brute_force"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies a surge in failed Microsoft Entra ID sign-in attempts (error code 50053) due to account lockouts, suggesting potential brute-force attacks. Attackers often employ password spraying, credential stuffing, or automated guessing to compromise accounts. This detection uses a threshold-based approach to identify coordinated campaigns targeting multiple users. The Entra ID Smart Lockout feature triggers error code 50053, utilizing IP-based tracking to differentiate between \u0026ldquo;familiar\u0026rdquo; and \u0026ldquo;unfamiliar\u0026rdquo; locations, with lockouts primarily originating from unfamiliar IPs. Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker attempts to gain access to Entra ID accounts using compromised or guessed credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePassword Spraying/Credential Stuffing:\u003c/strong\u003e The attacker performs password spraying attacks by attempting common passwords across multiple accounts, or credential stuffing attacks by using lists of breached credentials obtained from other sources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Failure:\u003c/strong\u003e The sign-in attempts fail due to incorrect credentials, resulting in authentication failure events in Entra ID sign-in logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSmart Lockout Triggered:\u003c/strong\u003e Entra ID\u0026rsquo;s Smart Lockout feature detects the repeated failed sign-in attempts from unfamiliar IPs, triggering account lockouts and generating error code 50053.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout:\u003c/strong\u003e The target user accounts are locked out, preventing legitimate users from accessing their accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Enumeration:\u003c/strong\u003e Prior to the lockouts, the attacker may perform username enumeration, resulting in error code 50034 (user not found) in the sign-in logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass Attempt (if applicable):\u003c/strong\u003e If MFA is not enforced or bypassed, the attacker may attempt to gain access using single-factor authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise (if successful):\u003c/strong\u003e If the attacker successfully guesses the password before lockout or bypasses MFA, the account is compromised, allowing unauthorized access to resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful brute-force attack against Entra ID can lead to widespread account compromise. This could result in unauthorized access to sensitive data, business disruption, and potential financial loss. An attacker could leverage compromised accounts to move laterally within the network, escalate privileges, and exfiltrate data. This attack can affect any organization using Microsoft Entra ID for identity and access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Entra ID Excessive Account Lockouts Detected\u0026rdquo; to your SIEM to detect high counts of failed sign-in attempts resulting in account lockouts.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by pivoting to the raw logs in Discover or Timeline using the provided query and focusing on \u003ccode\u003eevent.dataset: \u0026quot;azure.signinlogs\u0026quot; and azure.signinlogs.properties.status.error_code: 50053\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBlock suspicious source IPs identified in the investigation using Conditional Access named locations to prevent further brute-force attempts.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to block legacy authentication protocols like IMAP, SMTP, and POP, which are often targeted in password spraying attacks.\u003c/li\u003e\n\u003cli\u003eReview and enhance Conditional Access policies to ensure comprehensive MFA coverage and prevent MFA bypass attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T18:43:05Z","date_published":"2026-04-22T18:43:05Z","id":"/briefs/2024-01-30-entra-id-lockouts/","summary":"A high volume of failed Microsoft Entra ID sign-in attempts resulting in account lockouts indicates potential brute-force attacks, such as password spraying or credential stuffing, targeting user accounts.","title":"Entra ID Excessive Account Lockouts Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-30-entra-id-lockouts/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Entra ID"],"_cs_severities":["high"],"_cs_tags":["attack.stealth","attack.t1078","attack.persistence","attack.privilege-escalation","attack.initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting suspicious sign-in activity within Azure Active Directory (Azure AD). Specifically, it targets sign-ins originating from countries or regions that are new or unusual for a given user. This behavior can be indicative of compromised credentials, travel without notification, or the use of VPN/proxy services to mask the true origin of the sign-in. Microsoft Entra ID Protection identifies \u0026ldquo;new country\u0026rdquo; as a risk event when a user signs in from a location that is drastically different from their recent sign-in history. Detecting these anomalies is crucial for preventing unauthorized access and mitigating potential data breaches. The detection uses Azure AD\u0026rsquo;s risk detection logs to identify such events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains access to a valid user\u0026rsquo;s credentials, potentially through phishing, credential stuffing, or malware. (T1078)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAnomalous Login:\u003c/strong\u003e The attacker attempts to sign in to Azure AD using the compromised credentials from a country or region not typically associated with the user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRisk Detection Trigger:\u003c/strong\u003e Azure AD Identity Protection identifies the sign-in as high-risk due to the new country/region and logs a \u0026ldquo;newCountry\u0026rdquo; risk event.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may establish persistent access by creating new accounts or modifying existing ones.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e If the compromised account has elevated privileges, the attacker may attempt to escalate their privileges within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker may use the compromised account to move laterally within the organization, accessing other resources and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker accesses sensitive data and attempts to exfiltrate it from the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objectives, which could include data theft, financial fraud, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack following a sign-in from a new country can result in unauthorized access to sensitive data, compromised user accounts, and potential data breaches. Organizations may experience financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the privileges of the compromised account and the attacker\u0026rsquo;s objectives. Immediate containment is crucial to prevent further damage if a new country sign-in is verified as malicious.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM or security analytics platform to detect \u0026ldquo;newCountry\u0026rdquo; risk events in Azure AD (logsource: azure, service: riskdetection).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule in the context of other sign-in activities for the affected user to rule out false positives.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to mitigate the risk of account compromise (T1078).\u003c/li\u003e\n\u003cli\u003eMonitor user activity logs for other suspicious behaviors, such as unusual access patterns or attempts to escalate privileges.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies to restrict access based on location, device, and other factors.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing and other social engineering tactics to prevent credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-azure-new-country-signin/","summary":"Detection of Azure AD sign-ins originating from countries or regions not previously associated with a user, indicating potential account compromise or anomalous activity.","title":"Azure AD Sign-in from New Country/Region","url":"https://feed.craftedsignal.io/briefs/2024-01-30-azure-new-country-signin/"}],"language":"en","title":"CraftedSignal Threat Feed — Entra ID","version":"https://jsonfeed.org/version/1.1"}