{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sign_in_logs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID"],"_cs_severities":["medium"],"_cs_tags":["cloud","identity","azure","entra_id","microsoft_entra_id","sign_in_logs","threat_detection","initial_access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly abusing the Microsoft Authentication Broker (MAB) in phishing and token broker flows to gain unauthorized access to Entra ID resources. This involves manipulating the broker to request tokens for APIs or enterprise applications that are not part of the expected first-party targets. This technique allows attackers to bypass traditional authentication controls and gain access to sensitive data or services. This activity is notable because legitimate use of MAB should typically target a limited set of Microsoft services like Azure Active Directory, Microsoft Graph, Device Registration Service, and Microsoft Intune Enrollment. This detection rule focuses on identifying sign-in attempts where MAB is used to access resources outside of this expected scope.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a user\u0026rsquo;s credentials or session.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a sign-in request using the Microsoft Authentication Broker (MAB). The MAB client application ID is 29d9ed98-a469-4536-ade2-f981bc1d605e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the request to target a resource identifier outside the typical first-party Microsoft services (e.g., an unusual API or enterprise application).\u003c/li\u003e\n\u003cli\u003eThe MAB validates the user\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eIf successful, the MAB issues an access token for the requested resource.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired access token to access the targeted resource, potentially gaining unauthorized access to data or services.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration or privilege escalation, within the compromised resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, compromised user accounts, and potential data breaches. Attackers can use the access tokens obtained through this method to perform a wide range of malicious activities, including data exfiltration, lateral movement, and privilege escalation within the Entra ID environment. The scope of the impact depends on the permissions and access levels associated with the compromised user account and the targeted resource.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Microsoft Entra ID sign-in logs (\u003ccode\u003elogs-azure.signinlogs-*\u003c/code\u003e) and ensure they include \u003ccode\u003eazure.signinlogs.properties.app_id\u003c/code\u003e and \u003ccode\u003eazure.signinlogs.properties.resource_id\u003c/code\u003e as mentioned in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource\u0026rdquo; to your SIEM to detect suspicious sign-in attempts. Tune the exclusion list for first-party resource identifiers your tenant expects from the Microsoft Authentication Broker (MAB).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on \u003ccode\u003eazure.signinlogs.properties.user_principal_name\u003c/code\u003e, \u003ccode\u003eazure.signinlogs.properties.resource_id\u003c/code\u003e, \u003ccode\u003eazure.signinlogs.properties.resource_display_name\u003c/code\u003e, \u003ccode\u003eazure.signinlogs.properties.session_id\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003euser_agent.original\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview conditional access policies and risk detections for users exhibiting this behavior as described in the Triage section of this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T10:04:24Z","date_published":"2026-05-18T10:04:24Z","id":"https://feed.craftedsignal.io/briefs/2026-05-entra-id-auth-broker-unusual-resource/","summary":"Detects successful Microsoft Entra ID sign-ins where the client application is the Microsoft Authentication Broker (MAB) and the requested resource identifier is outside a short list of commonly observed first-party targets, potentially indicating abuse to obtain tokens for unexpected APIs or enterprise applications.","title":"Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource","url":"https://feed.craftedsignal.io/briefs/2026-05-entra-id-auth-broker-unusual-resource/"}],"language":"en","title":"CraftedSignal Threat Feed — Sign_in_logs","version":"https://jsonfeed.org/version/1.1"}