{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/token_replay/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID","Microsoft Graph","Microsoft 365"],"_cs_severities":["medium"],"_cs_tags":["azure","entra_id","oauth","graph_api","token_replay","session_hijacking","initial_access","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential session hijacking or token replay attacks targeting Microsoft Entra ID and Microsoft Graph. The rule focuses on scenarios where a user authenticates to Entra ID, and shortly after, Microsoft Graph is accessed using the same session ID but originating from a different IP address. This behavior can signify a successful OAuth phishing attack, session hijacking, or token replay attack where an attacker steals session cookies or refresh/access tokens to impersonate a legitimate user. The targeted resources are typically Microsoft 365 applications and data accessed via the Graph API. The rule leverages Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs to correlate sign-in events with Graph API access, excluding known benign application IDs to reduce false positives. It is based on research and observed techniques detailed in threat intelligence reports regarding OAuth phishing campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to a target user, enticing them to click a malicious link.\u003c/li\u003e\n\u003cli\u003eThe user is redirected to a fake OAuth consent page, controlled by the attacker, prompting them to grant permissions to a malicious application.\u003c/li\u003e\n\u003cli\u003eThe user unknowingly provides consent, granting the attacker access to their Entra ID resources.\u003c/li\u003e\n\u003cli\u003eThe attacker exchanges the authorization code for an access or refresh token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen access token to make API calls to Microsoft Graph from a different IP address than the original sign-in.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses sensitive data, such as emails, files, or contacts, via the Microsoft Graph API.\u003c/li\u003e\n\u003cli\u003eThe attacker may use ROADtools to enumerate permissions and access further resources.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the refresh token to obtain new access tokens, even after the initial session expires.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data within Microsoft 365, including emails, files, contacts, and other resources accessible via the Microsoft Graph API. Attackers can use this access to perform data exfiltration, business email compromise (BEC), or further lateral movement within the organization. While the rule is designed to minimize false positives, legitimate scenarios like device switching and network roaming may trigger alerts, requiring careful investigation. If malicious activity is confirmed, affected user accounts must be immediately investigated and remediated to prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and configure the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs integration to collect audit and activity logs via Azure Event Hub, as outlined in the rule setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eEntra ID OAuth User Impersonation to Microsoft Graph\u003c/code\u003e to your SIEM and tune it for your environment, paying close attention to false positives related to device switching and network roaming.\u003c/li\u003e\n\u003cli\u003eReview and enforce conditional access policies, including multi-factor authentication and location-based access controls, to mitigate OAuth phishing attacks as mentioned in the triage section.\u003c/li\u003e\n\u003cli\u003eRevoke all refresh/access tokens for any user accounts flagged by this rule and reset their credentials, if malicious activity is confirmed.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for the IPs detected by the Sigma rule and block them on the perimeter.\u003c/li\u003e\n\u003cli\u003eReview session control policies and conditional access enforcement as described in the investigation steps to prevent future token replay attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-entra-oauth-impersonation/","summary":"Detects potential session hijacking or token replay in Microsoft Entra ID, where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID, indicating a successful OAuth phishing attack, session hijacking, or token replay attack.","title":"Entra ID OAuth User Impersonation to Microsoft Graph","url":"https://feed.craftedsignal.io/briefs/2024-01-entra-oauth-impersonation/"}],"language":"en","title":"CraftedSignal Threat Feed - Token_replay","version":"https://jsonfeed.org/version/1.1"}