Tag

Entra Id

4 briefs RSS

Microsoft Entra ID Temporary Access Pass (TAP) Abuse for MFA Bypass and Persistence

An attacker with elevated privileges abuses the Microsoft Entra ID Temporary Access Pass (TAP) feature to bypass multi-factor authentication (MFA), gain unauthorized access to target user accounts, and establish persistence by registering new authentication methods.

Microsoft Entra ID cloud identity azure entra-id mfa-bypass persistence lateral-movement initial-access

3r 2t 2d ago

high advisory

M365 or Entra ID Identity Sign-in from a Suspicious Source

2 rules 1 TTP

This rule correlates Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address, indicating potential initial access via compromised credentials.

Entra ID +1 initial-access cloud entra-id m365

2r 1t 4w ago

medium advisory

Entra ID OAuth User Impersonation to Microsoft Graph

2 rules 2 TTPs

This rule detects potential session hijacking or token replay in Microsoft Entra ID, identifying cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID, which may indicate a successful OAuth phishing attack, session hijacking, or token replay attack.

Entra ID +1 cloud identity api azure oauth session hijacking

2r 2t May 21, 2026

medium advisory

Detect Windows Entra User Management Via Azure CLI

2 rules 3 TTPs

This analytic detects the usage of the Azure CLI to interact with user accounts, such as creating or deleting a user, potentially indicating malicious activity aimed at maintaining persistence and evading detection within an Entra ID environment.

Azure CLI +3 azure entra-id user-management persistence windows

2r 3t Jan 3, 2024