Identity

Adversaries are modifying OAuth application redirect URIs (ReplyUrls) in Microsoft Entra ID to intercept OAuth authorization codes and steal tokens, granting unauthorized access without new application registration or user consent.

A sophisticated threat actor, having compromised an existing guest account in Microsoft Entra ID, can establish persistent access and elevate privileges by performing a Guest-to-Member account conversion, which grants full directory read access and bypasses Conditional Access restrictions, enabling stealthy long-term access and reconnaissance.

An attacker with elevated privileges abuses the Microsoft Entra ID Temporary Access Pass (TAP) feature to bypass multi-factor authentication (MFA), gain unauthorized access to target user accounts, and establish persistence by registering new authentication methods.

Attackers are actively exploiting the OAuth device code flow in Microsoft 365 to bypass multi-factor authentication (MFA) and gain initial access, leveraging phishing kits like Kali365 and tradecraft similar to Storm-2372 to harvest MFA-satisfied tokens from non-compliant or attacker-controlled devices, and subsequently establishing persistence through device registration.

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates using a non-standard user agent, inconsistent with common browser, mobile, or Windows platforms, potentially indicating adversary-in-the-middle or OAuth phishing attacks.

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a suspicious ASN, indicating potential OAuth phishing or adversary-in-the-middle device registration.

This rule detects potential session hijacking or token replay in Microsoft Entra ID, identifying cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID, which may indicate a successful OAuth phishing attack, session hijacking, or token replay attack.

Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.

Detects successful Microsoft Entra ID sign-ins where the client application is the Microsoft Authentication Broker (MAB) and the requested resource identifier is outside a short list of commonly observed first-party targets, potentially indicating abuse to obtain tokens for unexpected APIs or enterprise applications.

This rule detects Microsoft 365 audit events indicative of Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity, identifying UserLoggedIn events where the Microsoft Authentication Broker requests access to Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents, bypassing MFA by relaying authentication and capturing session material.

The rule detects Microsoft Graph activity from delegated user tokens where a single user session and source IP rapidly touches multiple high-value Graph paths indicative of reconnaissance, suggesting a broad enumeration playbook.

Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short time frame, potentially indicating account compromise or unauthorized access.

Detects successful Microsoft 365 portal logins from a country and region the user has not previously authenticated from in a specific time window, potentially indicating unauthorized access attempts by analyzing login events and user location patterns.

Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short timeframe, potentially indicating account compromise or unauthorized access.

This brief details detection of anomalous activity within the Okta Admin Console, potentially indicating privilege escalation, persistence, defense evasion, or initial access attempts by malicious actors.

An Okta policy rule was modified or deleted, potentially weakening security controls.

Detection of new user account creation in Okta, which could indicate malicious activity related to credential access.

This alert detects when Okta's ThreatInsight identifies a security threat within an Okta environment, potentially indicating command and control activity.

Detection of new admin role assignments in Okta, potentially indicating privilege escalation or persistence attempts by malicious actors.

An Okta end-user reports potentially suspicious activity on their account, indicating possible compromise or unauthorized access.

Attackers use proxy infrastructure to mask their origin when using stolen Okta credentials, and this rule correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user.

An adversary modifies the AWS Identity Center identity provider configuration, potentially leading to persistent access and privilege escalation through user impersonation.

An Okta policy was modified or deleted, potentially indicating unauthorized changes to security configurations within the Okta identity management platform by a malicious actor or insider.

Attackers may modify or delete Okta application sign-on policies to weaken security controls, potentially leading to unauthorized access and data breaches.

Detection of Okta API token revocation events, indicating potential unauthorized access or compromise.

Detection of Okta user sessions initiated through anonymizing proxy services, potentially indicating malicious activity or attempts to evade security controls.

Detection of an Okta user account lockout, which may indicate brute-force attempts or other malicious activity targeting user accounts.