Azuread

The following analytic identifies modifications to the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user, which is a step in setting up an Azure AD identity federation backdoor that allows an attacker to impersonate any user and bypass MFA.

A vulnerability in Fleet versions prior to 4.82.0 allows authentication tokens from any Azure AD tenant to be accepted, enabling unauthorized device enrollment and MDM API access due to improper JWT signature validation, tracked as CVE-2026-24899.

Detection of successful authentications originating from geographic locations outside of an organization's expected operational footprint, potentially indicating compromised credentials or unauthorized access.

This brief focuses on detecting unusual user activity and sign-in patterns flagged by Azure AD Threat Intelligence, which may indicate stealthy attacks, persistence attempts, privilege escalation, or initial access.

Detection of user activity originating from an IP address identified as an anonymous proxy, potentially indicating unauthorized access, privilege escalation, or persistence within an Azure Active Directory environment.

An attacker may attempt to add a user to a high-privilege Azure AD role, such as Global Administrator or Device Administrator, to establish persistence, gain initial access, escalate privileges, or operate stealthily within the compromised environment.

Detection of a temporary access pass (TAP) being added to an Azure AD account, which could indicate potential privilege escalation, initial access, persistence, or stealth activity.

The Microsoft 365 'risk-based step-up consent' security setting is disabled by an adversary to allow users to grant consent to malicious applications, potentially leading to unauthorized access and data breaches.

Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.

Detection of unauthorized guest user invitations within an Azure Active Directory tenant, indicating potential privilege escalation, persistence, or initial access attempts.

This brief describes the detection of 'impossible travel' events in Azure AD, where a user appears to log in from geographically distant locations within an implausibly short time frame, potentially indicating account compromise.