{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-entra-id/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["medium"],"_cs_tags":["cloud","identity","persistence","azure","microsoft-entra-id"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA sophisticated threat actor, having already established initial access to an organization's Microsoft Entra ID tenant through the compromise of a guest account, can achieve persistent access and elevate privileges by converting the compromised guest account to a member account. This high-impact technique, observed in campaigns targeting cloud environments, leverages the \u0026quot;Update user\u0026quot; operation to modify the \u003ccode\u003eUserType\u003c/code\u003e attribute. By changing an account from 'Guest' to 'Member', attackers gain full directory read access, bypass external-identity Conditional Access policies, and make the account appear as a standard internal employee, effectively masking their continued presence. This method of persistence is particularly insidious as it often avoids detection mechanisms designed for explicit role assignments, offering a stealthier way to maintain control and facilitate further malicious activities such as reconnaissance and data exfiltration. Defenders must monitor for these specific user attribute changes to detect such advanced persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker compromises an existing legitimate guest account within an Entra ID tenant, typically through methods like phishing, credential stuffing, or supply chain compromise targeting an external partner.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Compromise\u003c/strong\u003e: The attacker subsequently compromises an administrator account or gains sufficient permissions within the Entra ID tenant to modify user properties.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUserType Modification\u003c/strong\u003e: Using the compromised administrative privileges, the attacker executes an \u0026quot;Update user\u0026quot; operation within Entra ID, specifically targeting the previously compromised guest account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProperty Update\u003c/strong\u003e: During this \u0026quot;Update user\u0026quot; operation, the \u003ccode\u003eUserType\u003c/code\u003e attribute of the guest account is changed from \u003ccode\u003eGuest\u003c/code\u003e to \u003ccode\u003eMember\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnhanced Permissions\u003c/strong\u003e: This conversion automatically grants the now-modified account full directory read access, which is typically restricted for external guest accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConditional Access Bypass\u003c/strong\u003e: The conversion also removes external-identity-specific Conditional Access restrictions, allowing the account to operate with fewer security constraints.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStealthy Persistence\u003c/strong\u003e: The newly converted \u0026quot;Member\u0026quot; account is virtually indistinguishable from a standard internal employee account, establishing persistent access that often bypasses detection mechanisms for explicit role assignments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation\u003c/strong\u003e: The attacker leverages the \u0026quot;Member\u0026quot; account for broader reconnaissance, directory enumeration (e.g., via Graph API \u003ccode\u003e/users\u003c/code\u003e, \u003ccode\u003e/groups\u003c/code\u003e, \u003ccode\u003e/applications\u003c/code\u003e), data exfiltration, or further lateral movement within the organization's cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in an attacker maintaining stealthy, persistent access to the victim organization's Microsoft Entra ID environment. The compromised account gains full directory read access, enabling extensive reconnaissance and mapping of cloud resources and user identities. Furthermore, the bypass of external-identity Conditional Access policies allows the attacker to operate with fewer restrictions, potentially facilitating data exfiltration, further privilege escalation, and lateral movement into integrated cloud applications. This technique leads to long-term compromise, making detection and remediation challenging as the account appears benign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnsure comprehensive logging for \u003ccode\u003eazure.auditlogs\u003c/code\u003e events is enabled and ingested into your security monitoring platform.\u003c/li\u003e\n\u003cli\u003eInvestigate all \u003ccode\u003eUpdate user\u003c/code\u003e operations where \u003ccode\u003eUserType\u003c/code\u003e changes from \u003ccode\u003eGuest\u003c/code\u003e to \u003ccode\u003eMember\u003c/code\u003e by examining the \u003ccode\u003einitiated_by\u003c/code\u003e field for authorization.\u003c/li\u003e\n\u003cli\u003eProactively review \u003ccode\u003eazure.signinlogs.*\u003c/code\u003e for any directory enumeration patterns (e.g., access to Graph API \u003ccode\u003e/users\u003c/code\u003e, \u003ccode\u003e/groups\u003c/code\u003e, \u003ccode\u003e/applications\u003c/code\u003e) originating from recently converted accounts.\u003c/li\u003e\n\u003cli\u003eImplement strict change management processes for all B2B collaboration migrations or organizational restructuring that involves legitimate Guest-to-Member conversions, ensuring proper documentation and approval.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:40:23Z","date_published":"2026-06-18T15:40:23Z","id":"https://feed.craftedsignal.io/briefs/2026-06-entra-id-guest-to-member/","summary":"A sophisticated threat actor, having compromised an existing guest account in Microsoft Entra ID, can establish persistent access and elevate privileges by performing a Guest-to-Member account conversion, which grants full directory read access and bypasses Conditional Access restrictions, enabling stealthy long-term access and reconnaissance.","title":"Microsoft Entra ID Guest Account Promoted to Member","url":"https://feed.craftedsignal.io/briefs/2026-06-entra-id-guest-to-member/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["high"],"_cs_tags":["cloud","identity","azure","entra-id","mfa-bypass","persistence","lateral-movement","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat details the abuse of the Temporary Access Pass (TAP) feature within Microsoft Entra ID by malicious actors. An attacker who has gained User Administrator or Authentication Administrator privileges can exploit these roles to create a TAP for any target Entra ID user account. TAPs are a powerful credential, as they are time-limited, allow for passwordless authentication, and crucially, bypass all existing Multi-Factor Authentication (MFA) requirements, including phishing-resistant methods. Threat actors leverage this capability to sign into compromised accounts without needing the original password, and critically, register new, persistent authentication methods (such as FIDO2 security keys or Microsoft Authenticator app registrations) before the TAP expires. This establishes a durable backdoor, enabling continued unauthorized access, lateral movement, and potential data exfiltration, even if the initial compromise vector is remediated and the TAP itself expires.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains User Administrator or Authentication Administrator privileges within Microsoft Entra ID through an undisclosed initial access vector.\u003c/li\u003e\n\u003cli\u003eLeveraging these elevated administrative privileges, the attacker creates a Temporary Access Pass (TAP) for a target Entra ID user account, which is recorded in \u003ccode\u003eazure.auditlogs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe generated TAP acts as a time-limited, single-use passcode that bypasses all existing MFA policies and requirements for the target account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly issued TAP to successfully sign into the target user account, as evidenced by entries in \u003ccode\u003eazure.signinlogs\u003c/code\u003e with \u0026quot;Temporary Access Pass\u0026quot; as the authentication method.\u003c/li\u003e\n\u003cli\u003eDuring the active session authenticated by the TAP, the attacker registers one or more new, persistent authentication methods (e.g., FIDO2 security key, Microsoft Authenticator app) for the compromised account.\u003c/li\u003e\n\u003cli\u003eUpon expiration or revocation of the TAP, the attacker retains persistent access to the target account via the newly registered authentication methods, bypassing the original password and MFA setup.\u003c/li\u003e\n\u003cli\u003eWith persistent access, the attacker can proceed with objectives such as data exfiltration, lateral movement within the cloud environment, or further privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of the Entra ID TAP feature can lead to complete account compromise, effectively bypassing all MFA protections in place, including phishing-resistant methods. Attackers can establish long-term persistence within an organization's cloud environment by registering new authentication methods, rendering password changes or MFA resets ineffective without careful post-incident remediation. This can result in unauthorized access to sensitive data, financial systems, or critical infrastructure, and enable further lateral movement within the compromised cloud tenancy. While specific victim numbers are not provided, organizations heavily reliant on Microsoft Entra ID for identity management are at risk, particularly those with insufficiently protected administrative accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM, specifically the rules detecting 'Microsoft Entra ID Temporary Access Pass Creation', 'Microsoft Entra ID Sign-in Using Temporary Access Pass', and 'New Authentication Method Registration in Entra ID'.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for \u003ccode\u003eazure.auditlogs\u003c/code\u003e and \u003ccode\u003eazure.signinlogs\u003c/code\u003e within Microsoft Entra ID to ensure telemetry is available for the detection rules.\u003c/li\u003e\n\u003cli\u003eRegularly audit the assignments for 'User Administrator' and 'Authentication Administrator' roles in Microsoft Entra ID, ensuring least privilege and strong protections for these accounts.\u003c/li\u003e\n\u003cli\u003eImplement strict change management processes for all identity-related administrative actions to identify unauthorized TAP creations in \u003ccode\u003eazure.auditlogs\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:39:09Z","date_published":"2026-06-18T15:39:09Z","id":"https://feed.craftedsignal.io/briefs/2026-06-entra-id-tap-abuse/","summary":"An attacker with elevated privileges abuses the Microsoft Entra ID Temporary Access Pass (TAP) feature to bypass multi-factor authentication (MFA), gain unauthorized access to target user accounts, and establish persistence by registering new authentication methods.","title":"Microsoft Entra ID Temporary Access Pass (TAP) Abuse for MFA Bypass and Persistence","url":"https://feed.craftedsignal.io/briefs/2026-06-entra-id-tap-abuse/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Microsoft Entra ID","Exchange Online","SharePoint Online","Microsoft Teams"],"_cs_severities":["high"],"_cs_tags":["cloud","saas","identity","microsoft-365","initial-access","phishing","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThreat actors are increasingly utilizing sophisticated phishing techniques, specifically targeting the OAuth device code flow within Microsoft 365, to circumvent multi-factor authentication (MFA). Campaigns observed leveraging tools like Kali365 and tradecraft similar to Storm-2372, dating back at least to early 2025 according to referenced reports, lure victims into authorizing access on attacker-controlled or personal non-compliant devices. This method exploits the legitimate device code authentication mechanism by directing users to genuine Microsoft endpoints to complete their login and MFA, while the attacker's phishing kit polls the token endpoint in the background to harvest an MFA-satisfied access token. This approach bypasses traditional MFA protections by manipulating the authorization process itself, granting attackers persistent access and enabling subsequent malicious activities such as reconnaissance and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Phishing Lure\u003c/strong\u003e: Attackers distribute phishing lures (e.g., email, instant message) containing a unique device code and instructions for the victim to visit a legitimate Microsoft verification URL (e.g., microsoft.com/devicelogin).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDevice Code Entry\u003c/strong\u003e: The victim navigates to the genuine Microsoft verification URL and, as instructed by the lure, enters the attacker-provided device code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication and MFA\u003c/strong\u003e: The victim is prompted to authenticate with their Microsoft 365 credentials and completes multi-factor authentication (MFA) on a legitimate Microsoft login page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Harvesting\u003c/strong\u003e: Concurrently, the attacker's phishing kit, having initiated the device code flow, continuously polls the token endpoint. Upon successful authentication and MFA by the victim, the kit intercepts and harvests the resulting MFA-satisfied refresh token and access token. This often occurs from a device not compliant with the organization's security policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access\u003c/strong\u003e: The attacker uses the harvested tokens to gain unauthorized access to the victim's Microsoft 365 resources (e.g., Exchange Online, SharePoint Online, Microsoft Teams, OneDrive).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Establishment\u003c/strong\u003e: To maintain access, attackers may register a new device to the compromised user's account, establishing Primary Refresh Token (PRT) persistence that survives password changes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance and Lateral Movement\u003c/strong\u003e: With persistent access, the attacker performs reconnaissance within the victim's environment, enumerating mailboxes, files, and other cloud resources, and potentially moving laterally to other connected applications or services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact and Exfiltration\u003c/strong\u003e: Finally, the attacker may exfiltrate sensitive data, initiate further attacks, or manipulate cloud resources based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful device code phishing attacks result in complete bypass of multi-factor authentication, granting attackers MFA-satisfied access tokens that provide persistent and unauthorized entry to critical Microsoft 365 services such as Exchange Online, SharePoint Online, and Teams. This leads to immediate compromise of user accounts, enabling data exfiltration, email account takeover, and access to sensitive documents. Attackers can also establish long-term persistence by registering new devices, making detection and remediation more challenging. While no specific victim counts or industry sectors are provided in the source, the technique is broadly applicable to any organization utilizing Microsoft 365, posing a significant risk of intellectual property theft, financial fraud, and business disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;M365 OAuth Device Code Grant from Non-Compliant Device\u0026quot; to your SIEM to detect anomalous device code authentication originating from unmanaged endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eo365.audit\u003c/code\u003e logs for \u003ccode\u003eRequestType: \u0026quot;Cmsi:Cmsi\u0026quot;\u003c/code\u003e events, paying close attention to \u003ccode\u003eo365.audit.DeviceProperties\u003c/code\u003e (especially \u003ccode\u003eValue: \u0026quot;False\u0026quot;\u003c/code\u003e) and the associated \u003ccode\u003esource.ip\u003c/code\u003e and \u003ccode\u003esource.as.organization.name\u003c/code\u003e for unusual origins.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies in Microsoft Entra ID to restrict device code authentication to only necessary users and applications, and enforce requirements for compliant or hybrid-joined devices.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;M365 Suspicious Device Registration by User\u0026quot; to identify attempts by threat actors to establish persistence post-compromise by registering new devices.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of device code phishing, emphasizing vigilance against unsolicited requests to enter codes on authentication pages and the importance of verifying the authenticity of login prompts.\u003c/li\u003e\n\u003cli\u003eFor confirmed compromises, immediately revoke all refresh tokens for the affected user, reset their credentials, and review \u003ccode\u003eazure.signinlogs\u003c/code\u003e, \u003ccode\u003eazure.graphactivitylogs\u003c/code\u003e, and \u003ccode\u003eazure.auditlogs\u003c/code\u003e for post-compromise activity and remove any unauthorized device registrations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:37:29Z","date_published":"2026-06-18T15:37:29Z","id":"https://feed.craftedsignal.io/briefs/2026-06-m365-device-code-phishing/","summary":"Attackers are actively exploiting the OAuth device code flow in Microsoft 365 to bypass multi-factor authentication (MFA) and gain initial access, leveraging phishing kits like Kali365 and tradecraft similar to Storm-2372 to harvest MFA-satisfied tokens from non-compliant or attacker-controlled devices, and subsequently establishing persistence through device registration.","title":"Microsoft 365 OAuth Device Code Phishing Exploits Non-Compliant Devices","url":"https://feed.craftedsignal.io/briefs/2026-06-m365-device-code-phishing/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["high"],"_cs_tags":["cloud","identity","azure","entra_id","sign-in_logs","threat_detection","initial_access","persistence","oauth"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service (DRS) from autonomous system numbers (ASNs) associated with VPNs, residential proxies, or hosting egress. This activity is often observed in OAuth phishing and adversary-in-the-middle (AitM) device registration attacks. Successful exploitation leads to unauthorized device joins or primary refresh token (PRT) acquisition, enabling persistent access to the victim's Entra ID resources. The detection logic focuses on identifying broker-to-DRS sign-ins originating from suspicious ASNs, a technique used by threat actors to stage device registration from attacker-controlled infrastructure after a user has completed the initial authentication flow.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email containing a malicious link or attachment.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and is redirected to a fake login page impersonating Microsoft Entra ID.\u003c/li\u003e\n\u003cli\u003eThe victim enters their credentials on the fake login page, which are then stolen by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to initiate a Microsoft Authentication Broker request to the Device Registration Service (DRS) from a VPN, proxy, or hosting ASN (e.g. 399629, 14061, 136787).\u003c/li\u003e\n\u003cli\u003eThe Microsoft Authentication Broker attempts to register a device with the Entra ID tenant.\u003c/li\u003e\n\u003cli\u003eThe Device Registration Service processes the request, potentially granting the attacker control over the registered device.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a Primary Refresh Token (PRT) for the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the PRT to maintain persistent access to the victim's Entra ID resources, bypassing multi-factor authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Entra ID accounts can lead to significant data breaches, unauthorized access to sensitive information, and disruption of business operations. Attackers can use stolen credentials and PRTs to gain persistent access to cloud resources, impersonate legitimate users, and move laterally within the organization's network. Successful device registration enables attackers to bypass security controls and maintain long-term access, making detection and remediation challenging. The use of VPNs and proxies obfuscates the attacker's true location, hindering investigations and attribution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN\u003c/code\u003e to your SIEM and tune for your environment to detect malicious sign-in activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any sign-ins matching the rule criteria by reviewing \u003ccode\u003eazure.signinlogs.properties.user_principal_name\u003c/code\u003e, \u003ccode\u003eazure.signinlogs.properties.app_display_name\u003c/code\u003e, and \u003ccode\u003esource.as.organization.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCompare ASN organizations against approved VPN, MDM, and automation egress in your environment as noted in the rule's \u003ccode\u003efalse_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview Entra ID audit logs for device registration activity around the same timestamp and correlate \u003ccode\u003eazure.signinlogs.properties.session_id\u003c/code\u003e with other sign-ins for the same user as described in the rule's \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eConsider implementing Conditional Access policies for the Microsoft Authentication Broker and device registration requirements as described in the rule's \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T10:36:02Z","date_published":"2026-05-29T10:36:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-entra-id-auth-broker-drs-suspicious-asn/","summary":"Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a suspicious ASN, indicating potential OAuth phishing or adversary-in-the-middle device registration.","title":"Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN","url":"https://feed.craftedsignal.io/briefs/2026-05-entra-id-auth-broker-drs-suspicious-asn/"},{"_cs_actors":["Storm-2949"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID","Microsoft 365","Microsoft Authenticator","Microsoft Azure"],"_cs_severities":["high"],"_cs_tags":["cloud-security","credential-access","data-exfiltration","social-engineering"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eStorm-2949 conducted a multi-layered attack targeting cloud infrastructure by exploiting compromised identities rather than relying on traditional malware. Starting in May 2026, the actor targeted specific users through social engineering, abusing Microsoft's Self-Service Password Reset (SSPR) to bypass MFA and gain persistent access to Microsoft Entra ID. Once inside, they moved laterally through the victim's Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, exfiltrating sensitive data. This campaign highlights the increasing focus of threat actors on cloud identities and control plane access, using legitimate administrative features for malicious purposes. The attack leveraged the Microsoft Graph API for directory discovery, enumerating users and applications within the tenant to identify high-value targets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via Social Engineering:\u003c/strong\u003e Storm-2949 initiates the SSPR process for targeted users, then uses social engineering (e.g., impersonating IT support) to trick them into approving MFA prompts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass:\u003c/strong\u003e Once the user approves the prompts, the attacker resets the password and removes existing authentication methods (phone numbers, email addresses, Microsoft Authenticator registrations).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence via New MFA Enrollment:\u003c/strong\u003e The attacker re-enables MFA and registers a new authentication method on their own device, granting themselves persistent access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDirectory Discovery:\u003c/strong\u003e Using compromised credentials, the attacker conducts directory discovery using Microsoft Graph API to enumerate users and applications within the tenant.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker identifies privileged accounts to target for further compromise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Leveraging control-plane access, the actor moves laterally across cloud and endpoint environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Cloud Resources:\u003c/strong\u003e The attacker accesses sensitive cloud resources such as Key Vaults and storage accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The actor exfiltrates sensitive data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Storm-2949 campaign resulted in the exfiltration of sensitive data from multiple areas of the victim organization's cloud infrastructure, including Microsoft 365 applications and Azure-hosted environments. The attackers specifically targeted high-value assets, including those within SaaS, PaaS, and IaaS layers. The compromise of IT personnel and senior leadership suggests significant potential for widespread damage. The number of affected users and the total volume of exfiltrated data are not specified in the report.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust MFA policies and educate users about social engineering tactics targeting SSPR. Deploy the rule \u003ccode\u003eDetect SSPR Abuse via Authentication Method Changes\u003c/code\u003e to identify potential MFA bypass attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Microsoft Graph API usage for unusual enumeration activities. Deploy the rule \u003ccode\u003eDetect Microsoft Graph API Directory Enumeration\u003c/code\u003e to identify suspicious user and application enumeration patterns.\u003c/li\u003e\n\u003cli\u003eReview and harden Azure role-based access control (RBAC) policies to limit lateral movement.\u003c/li\u003e\n\u003cli\u003eImplement behavior-based detections across endpoints, cloud environments, and identities, like those provided by Microsoft Defender XDR.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit user accounts, especially those with elevated privileges, for any unauthorized changes to authentication methods or permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T23:34:36Z","date_published":"2026-05-18T23:34:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-storm-2949-cloud-breach/","summary":"Storm-2949 compromised cloud identities through social engineering and abused the Self-Service Password Reset (SSPR) process to bypass MFA and gain persistent access, enabling lateral movement and data exfiltration from Microsoft 365 and Azure environments.","title":"Storm-2949 Abuses SSPR for Cloud-Wide Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-05-storm-2949-cloud-breach/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID","Microsoft 365","Microsoft Graph","Exchange Online"],"_cs_severities":["medium"],"_cs_tags":["tycoon2fa","aitm","entra_id","phishing","credential_access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects Microsoft Entra ID sign-ins indicative of Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) attacks. Tycoon2FA is designed to bypass multi-factor authentication (MFA) by relaying authentication requests and capturing session cookies, primarily targeting Microsoft 365 and Gmail accounts. The activity is characterized by the Microsoft Authentication Broker (app ID \u003ccode\u003e29d9ed98-a469-4536-ade2-f981bc1d605e\u003c/code\u003e) requesting tokens for Microsoft Graph (\u003ccode\u003e00000003-0000-0000-c000-000000000000\u003c/code\u003e) or Exchange Online (\u003ccode\u003e00000002-0000-0ff1-ce00-000000000000\u003c/code\u003e), or the Office web client application (app ID \u003ccode\u003e4765445b-32c6-49b0-83e6-1d93765276ca\u003c/code\u003e) authenticating to itself, in conjunction with Node.js-style user agents (node, axios, undici). Defenders should baseline legitimate automation and developer tooling using these patterns to minimize false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim receives a phishing email or message designed to mimic a legitimate Microsoft 365 login page.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and is redirected to a Tycoon2FA-controlled server acting as a proxy.\u003c/li\u003e\n\u003cli\u003eThe victim enters their credentials, which are captured by the Tycoon2FA proxy.\u003c/li\u003e\n\u003cli\u003eThe Tycoon2FA proxy initiates a legitimate sign-in attempt to Microsoft Entra ID using the stolen credentials and relays the MFA request to the victim.\u003c/li\u003e\n\u003cli\u003eThe victim completes MFA, and the Tycoon2FA proxy captures the session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to bypass MFA and gain access to the victim's Microsoft 365 account, impersonating the user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this access to perform actions such as reading emails, accessing files, or initiating further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to account compromise and unauthorized access to sensitive data within Microsoft 365 and Gmail environments. This can result in data breaches, financial loss, and reputational damage. Tycoon2FA is a phishing-as-a-service (PhaaS) platform, enabling even less sophisticated attackers to successfully bypass MFA, potentially affecting a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential AiTM attacks targeting Microsoft Entra ID.\u003c/li\u003e\n\u003cli\u003eMonitor Microsoft Entra ID sign-in logs for the specific application IDs (\u003ccode\u003e29d9ed98-a469-4536-ade2-f981bc1d605e\u003c/code\u003e, \u003ccode\u003e4765445b-32c6-49b0-83e6-1d93765276ca\u003c/code\u003e) and resource IDs (\u003ccode\u003e00000002-0000-0ff1-ce00-000000000000\u003c/code\u003e, \u003ccode\u003e00000003-0000-0000-c000-000000000000\u003c/code\u003e) associated with Tycoon2FA, as described in the overview.\u003c/li\u003e\n\u003cli\u003eInvestigate sign-ins originating from unusual user agents, especially those containing \u0026quot;node\u0026quot;, \u0026quot;axios\u0026quot;, or \u0026quot;undici\u0026quot; when used in conjunction with the Microsoft Authentication Broker or Office web client application.\u003c/li\u003e\n\u003cli\u003eReview conditional access policies and MFA configurations to ensure they are effectively preventing AiTM attacks.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing techniques and the importance of verifying login pages and MFA requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T09:26:29Z","date_published":"2026-05-18T09:26:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tycoon2fa-entra-id/","summary":"Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).","title":"Tycoon2FA AiTM Phishing via Microsoft Entra ID Sign-Ins","url":"https://feed.craftedsignal.io/briefs/2026-05-tycoon2fa-entra-id/"}],"language":"en","title":"CraftedSignal Threat Feed - Microsoft Entra ID","version":"https://jsonfeed.org/version/1.1"}