<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Token_replay - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/token_replay/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/token_replay/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID OAuth User Impersonation to Microsoft Graph</title><link>https://feed.craftedsignal.io/briefs/2024-01-entra-oauth-impersonation/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-entra-oauth-impersonation/</guid><description>Detects potential session hijacking or token replay in Microsoft Entra ID, where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID, indicating a successful OAuth phishing attack, session hijacking, or token replay attack.</description><content:encoded><![CDATA[<p>This detection identifies potential session hijacking or token replay attacks targeting Microsoft Entra ID and Microsoft Graph. The rule focuses on scenarios where a user authenticates to Entra ID, and shortly after, Microsoft Graph is accessed using the same session ID but originating from a different IP address. This behavior can signify a successful OAuth phishing attack, session hijacking, or token replay attack where an attacker steals session cookies or refresh/access tokens to impersonate a legitimate user. The targeted resources are typically Microsoft 365 applications and data accessed via the Graph API. The rule leverages Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs to correlate sign-in events with Graph API access, excluding known benign application IDs to reduce false positives. It is based on research and observed techniques detailed in threat intelligence reports regarding OAuth phishing campaigns.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a phishing email to a target user, enticing them to click a malicious link.</li>
<li>The user is redirected to a fake OAuth consent page, controlled by the attacker, prompting them to grant permissions to a malicious application.</li>
<li>The user unknowingly provides consent, granting the attacker access to their Entra ID resources.</li>
<li>The attacker exchanges the authorization code for an access or refresh token.</li>
<li>The attacker uses the stolen access token to make API calls to Microsoft Graph from a different IP address than the original sign-in.</li>
<li>The attacker accesses sensitive data, such as emails, files, or contacts, via the Microsoft Graph API.</li>
<li>The attacker may use ROADtools to enumerate permissions and access further resources.</li>
<li>The attacker maintains persistence by using the refresh token to obtain new access tokens, even after the initial session expires.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data within Microsoft 365, including emails, files, contacts, and other resources accessible via the Microsoft Graph API. Attackers can use this access to perform data exfiltration, business email compromise (BEC), or further lateral movement within the organization. While the rule is designed to minimize false positives, legitimate scenarios like device switching and network roaming may trigger alerts, requiring careful investigation. If malicious activity is confirmed, affected user accounts must be immediately investigated and remediated to prevent further damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and configure the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs integration to collect audit and activity logs via Azure Event Hub, as outlined in the rule setup instructions.</li>
<li>Deploy the provided Sigma rule <code>Entra ID OAuth User Impersonation to Microsoft Graph</code> to your SIEM and tune it for your environment, paying close attention to false positives related to device switching and network roaming.</li>
<li>Review and enforce conditional access policies, including multi-factor authentication and location-based access controls, to mitigate OAuth phishing attacks as mentioned in the triage section.</li>
<li>Revoke all refresh/access tokens for any user accounts flagged by this rule and reset their credentials, if malicious activity is confirmed.</li>
<li>Monitor network connections for the IPs detected by the Sigma rule and block them on the perimeter.</li>
<li>Review session control policies and conditional access enforcement as described in the investigation steps to prevent future token replay attacks.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>entra_id</category><category>oauth</category><category>graph_api</category><category>token_replay</category><category>session_hijacking</category><category>initial_access</category><category>defense_evasion</category></item></channel></rss>