Tag
Entra ID OAuth Application Redirect URI Modified
2 rules 2 TTPsAdversaries are modifying OAuth application redirect URIs (ReplyUrls) in Microsoft Entra ID to intercept OAuth authorization codes and steal tokens, granting unauthorized access without new application registration or user consent.
Microsoft Entra ID Guest Account Promoted to Member
1 rule 1 TTPA sophisticated threat actor, having compromised an existing guest account in Microsoft Entra ID, can establish persistent access and elevate privileges by performing a Guest-to-Member account conversion, which grants full directory read access and bypasses Conditional Access restrictions, enabling stealthy long-term access and reconnaissance.
Microsoft Graph Multi-Category Reconnaissance Burst
2 rules 2 TTPsThe rule detects Microsoft Graph activity from delegated user tokens where a single user session and source IP rapidly touches multiple high-value Graph paths indicative of reconnaissance, suggesting a broad enumeration playbook.