{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/microsoft-entra-id/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Graph"],"_cs_severities":["medium"],"_cs_tags":["cloud","identity","api","azure","microsoft-entra-id","microsoft-graph","threat-detection","discovery"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious reconnaissance activity within Microsoft Graph Activity Logs. It focuses on delegated user tokens (client_auth_method 0) where a single user session and source IP rapidly access multiple high-value Graph paths. The rule categorizes these requests into distinct areas such as role discovery, cross-tenant relationship queries, mailbox paths, contact harvesting, and organization/licensing metadata. A short burst of activity touching three or more distinct categories suggests a broader enumeration playbook, potentially indicating malicious reconnaissance efforts. The rule leverages Microsoft Graph Activity Logs ingested into \u003ccode\u003elogs-azure.graphactivitylogs-*\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to a user account or leverages a compromised application with delegated permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker or compromised application initiates a series of Microsoft Graph API requests using a delegated user token (client_auth_method 0).\u003c/li\u003e\n\u003cli\u003eThe requests target high-value Graph endpoints related to role management, cross-tenant relationships, mailbox settings, contacts, and organization metadata.\u003c/li\u003e\n\u003cli\u003eThe requests are classified into categories such as role_discovery, cross_tenant_recon, mailbox_recon, contact_harvesting, and org_and_licensing_recon based on the accessed URL paths.\u003c/li\u003e\n\u003cli\u003eThe system aggregates the API requests based on user principal object ID, source IP, session ID (c_sid), and tenant ID.\u003c/li\u003e\n\u003cli\u003eThe rule identifies instances where at least four distinct recon categories are accessed within a short time frame (60 seconds), exceeding a threshold of 20 total high-value calls.\u003c/li\u003e\n\u003cli\u003eThe system flags this behavior as a potential reconnaissance burst, indicating a broad enumeration attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker gains insights into the organization\u0026rsquo;s structure, roles, user information, and other sensitive data, facilitating further malicious activities such as privilege escalation or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance can provide attackers with valuable information about an organization\u0026rsquo;s cloud environment, including user roles, relationships with other tenants, mailbox configurations, contact lists, and licensing details. This information can be used to facilitate privilege escalation, data theft, or other malicious activities. The scope of the impact depends on the level of access granted to the compromised user or application and the sensitivity of the data exposed through the Graph API.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Microsoft Graph Multi-Category Reconnaissance Burst\u003c/code\u003e to your SIEM and tune the threshold (\u003ccode\u003eEsql.distinct_categories \u0026gt;= 4 and Esql.total_high_value_calls \u0026gt;= 20\u003c/code\u003e) and path lists for your tenant, to reduce false positives.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eEsql.categories\u003c/code\u003e and \u003ccode\u003eEsql.sample_paths\u003c/code\u003e fields in the alert to understand which Graph endpoints were accessed and whether they align with the expected application behavior.\u003c/li\u003e\n\u003cli\u003eValidate \u003ccode\u003eazure.graphactivitylogs.properties.app_id\u003c/code\u003e and \u003ccode\u003euser_agent.original\u003c/code\u003e against approved applications.\u003c/li\u003e\n\u003cli\u003eCorrelate with Entra ID sign-in logs for the same user and session to investigate MFA, conditional access, and token issuance context.\u003c/li\u003e\n\u003cli\u003eCheck whether \u003ccode\u003efailed_calls\u003c/code\u003e indicates probing or permission errors, which could indicate a more targeted attack.\u003c/li\u003e\n\u003cli\u003eRevoke refresh tokens for the user, disable or restrict the application consent, and reset credentials per policy if malicious activity is confirmed (see rule \u003ccode\u003eMicrosoft Graph Multi-Category Reconnaissance Burst\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAdd conditional access or block rules for high-risk Graph patterns to prevent future reconnaissance attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T09:02:10Z","date_published":"2026-05-18T09:02:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-microsoft-graph-recon/","summary":"The rule detects Microsoft Graph activity from delegated user tokens where a single user session and source IP rapidly touches multiple high-value Graph paths indicative of reconnaissance, suggesting a broad enumeration playbook.","title":"Microsoft Graph Multi-Category Reconnaissance Burst","url":"https://feed.craftedsignal.io/briefs/2026-05-microsoft-graph-recon/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft-Entra-Id","version":"https://jsonfeed.org/version/1.1"}