{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sign-in_logs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["high"],"_cs_tags":["cloud","identity","azure","entra_id","sign-in_logs","threat_detection","initial_access","persistence","oauth"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service (DRS) from autonomous system numbers (ASNs) associated with VPNs, residential proxies, or hosting egress. This activity is often observed in OAuth phishing and adversary-in-the-middle (AitM) device registration attacks. Successful exploitation leads to unauthorized device joins or primary refresh token (PRT) acquisition, enabling persistent access to the victim\u0026rsquo;s Entra ID resources. The detection logic focuses on identifying broker-to-DRS sign-ins originating from suspicious ASNs, a technique used by threat actors to stage device registration from attacker-controlled infrastructure after a user has completed the initial authentication flow.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email containing a malicious link or attachment.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and is redirected to a fake login page impersonating Microsoft Entra ID.\u003c/li\u003e\n\u003cli\u003eThe victim enters their credentials on the fake login page, which are then stolen by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to initiate a Microsoft Authentication Broker request to the Device Registration Service (DRS) from a VPN, proxy, or hosting ASN (e.g. 399629, 14061, 136787).\u003c/li\u003e\n\u003cli\u003eThe Microsoft Authentication Broker attempts to register a device with the Entra ID tenant.\u003c/li\u003e\n\u003cli\u003eThe Device Registration Service processes the request, potentially granting the attacker control over the registered device.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a Primary Refresh Token (PRT) for the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the PRT to maintain persistent access to the victim\u0026rsquo;s Entra ID resources, bypassing multi-factor authentication.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Entra ID accounts can lead to significant data breaches, unauthorized access to sensitive information, and disruption of business operations. Attackers can use stolen credentials and PRTs to gain persistent access to cloud resources, impersonate legitimate users, and move laterally within the organization\u0026rsquo;s network. Successful device registration enables attackers to bypass security controls and maintain long-term access, making detection and remediation challenging. The use of VPNs and proxies obfuscates the attacker\u0026rsquo;s true location, hindering investigations and attribution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN\u003c/code\u003e to your SIEM and tune for your environment to detect malicious sign-in activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any sign-ins matching the rule criteria by reviewing \u003ccode\u003eazure.signinlogs.properties.user_principal_name\u003c/code\u003e, \u003ccode\u003eazure.signinlogs.properties.app_display_name\u003c/code\u003e, and \u003ccode\u003esource.as.organization.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCompare ASN organizations against approved VPN, MDM, and automation egress in your environment as noted in the rule\u0026rsquo;s \u003ccode\u003efalse_positives\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview Entra ID audit logs for device registration activity around the same timestamp and correlate \u003ccode\u003eazure.signinlogs.properties.session_id\u003c/code\u003e with other sign-ins for the same user as described in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eConsider implementing Conditional Access policies for the Microsoft Authentication Broker and device registration requirements as described in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T10:36:02Z","date_published":"2026-05-29T10:36:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-entra-id-auth-broker-drs-suspicious-asn/","summary":"Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a suspicious ASN, indicating potential OAuth phishing or adversary-in-the-middle device registration.","title":"Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN","url":"https://feed.craftedsignal.io/briefs/2026-05-entra-id-auth-broker-drs-suspicious-asn/"}],"language":"en","title":"CraftedSignal Threat Feed — Sign-In_logs","version":"https://jsonfeed.org/version/1.1"}