-
Notifications
You must be signed in to change notification settings - Fork 678
[New Rule] Entra ID / M365 - Unusual ROPC Auth and/or Legacy Clients #6377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
terrancedejesus
wants to merge
1
commit into
main
Choose a base branch
from
new-rule/ropc-legacy-client-authentication
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+266
−2
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
137 changes: 137 additions & 0 deletions
137
rules/integrations/azure/initial_access_entra_id_unusual_legacy_auth_client_signin.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| [metadata] | ||
| creation_date = "2026/07/02" | ||
| integration = ["azure"] | ||
| maturity = "production" | ||
| updated_date = "2026/07/02" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Detects a successful sign-in by a Member user principal through a legacy authentication client (such as Authenticated | ||
| SMTP, IMAP4, POP3, Exchange ActiveSync, Exchange Web Services, or other basic-authentication clients) in Microsoft Entra | ||
| ID, where the user principal has not been seen using a legacy client in the last 7 days. Legacy authentication clients | ||
| rely on basic authentication, do not support modern authentication or interactive multi-factor authentication, and are | ||
| frequently abused by adversaries for password spraying and account takeover because they translate into single-factor | ||
| Resource Owner Password Credentials (ROPC) grants. This is a New Terms rule that surfaces the first occurrence of legacy | ||
| client authentication for a given user, which is unusual in most modern environments. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["filebeat-*", "logs-azure.signinlogs-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "Entra ID User Sign-In via Unusual Legacy Authentication Client" | ||
| note = """## Triage and analysis | ||
| ### Investigating Entra ID User Sign-In via Unusual Legacy Authentication Client | ||
| Legacy authentication clients use basic authentication and do not support modern authentication or interactive multi-factor authentication. Microsoft Entra ID classifies these clients under `client_app_used` values such as Authenticated SMTP, IMAP4, POP3, Exchange ActiveSync, Exchange Web Services, MAPI Over HTTP, Outlook Anywhere, and Other clients (as opposed to the modern values Browser and Mobile Apps and Desktop clients). Adversaries prefer these clients because they translate into single-factor ROPC grants that bypass interactive MFA, making them effective for password spraying and account takeover. | ||
| This rule is a New Terms detection that fires when a Member user principal is first seen authenticating with a legacy client in the last 7 days. In environments that have largely moved to modern authentication, a new legacy-client sign-in for a user is unusual and warrants review. It is a broader companion to the targeted ROPC detections and catches legacy protocols beyond Authenticated SMTP. | ||
| ### Possible investigation steps | ||
| - Review `azure.signinlogs.properties.client_app_used` to identify which legacy protocol was used and whether the user is expected to use it. | ||
| - Review `azure.signinlogs.properties.user_principal_name` to determine whether the account is a human user, a service account, or a shared mailbox, and whether legacy authentication is part of its normal behavior. | ||
| - Review `azure.signinlogs.properties.client_ip` / `source.ip`, geolocation, and ASN to determine whether the source is expected. Correlate with known-malicious infrastructure. | ||
| - Inspect `user_agent.original`. Values such as `BAV2ROPC`, `python-requests`, `curl`, or other scripting-tool agents are highly suspicious. | ||
| - Check `azure.signinlogs.properties.applied_conditional_access_policies` to determine whether legacy-authentication blocking was expected to apply and why it did not. | ||
| - Look for a preceding burst of failed authentications (password spraying) from the same source or against the same account, and for post-authentication actions such as mailbox rule creation, mail forwarding, or OAuth consent. | ||
| ### False positive analysis | ||
| - Legitimate legacy applications, service accounts, multifunction printers, scan-to-email appliances, and monitoring tools may still use legacy authentication clients such as Authenticated SMTP. These are typically stable in source IP and account and can be excluded once verified. | ||
| - Migrations, onboarding of older mail clients, or line-of-business applications that have not yet moved to modern authentication can generate first-occurrence sign-ins. Validate the business context and exclude confirmed benign accounts. | ||
| ### Response and remediation | ||
| - If the sign-in is confirmed malicious, disable the account, revoke active sessions and refresh tokens, and reset the password. | ||
| - Disable the specific legacy protocol for the affected mailbox (for example `Set-CASMailbox -SmtpClientAuthenticationDisabled $true`) and, where feasible, block legacy authentication tenant-wide with Conditional Access. | ||
| - Enforce MFA for the affected user and investigate the source IP and any preceding failed-authentication activity to scope a potential password-spray campaign. | ||
| - Review the account's activity after the sign-in (mailbox rules, forwarding, delegate changes, OAuth grants) and remediate any unauthorized changes. | ||
| """ | ||
| references = [ | ||
| "https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication", | ||
| "https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc", | ||
| "https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign", | ||
| "https://redcanary.com/blog/threat-detection/bav2ropc/", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "0b7dbb27-29f8-4219-bcf1-7b82c6dd0bdc" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Domain: Identity", | ||
| "Data Source: Azure", | ||
| "Data Source: Microsoft Entra ID", | ||
| "Data Source: Microsoft Entra ID Sign-In Logs", | ||
| "Use Case: Identity and Access Audit", | ||
| "Tactic: Initial Access", | ||
| "Tactic: Defense Evasion", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "new_terms" | ||
|
|
||
| query = ''' | ||
| data_stream.dataset: "azure.signinlogs" and | ||
| event.action: "Sign-in activity" and | ||
| event.outcome: "success" and | ||
| azure.signinlogs.properties.user_type: "Member" and | ||
| azure.signinlogs.properties.client_app_used: ( | ||
| "Authenticated SMTP" or | ||
| "Autodiscover" or | ||
| "Exchange ActiveSync" or | ||
| "Exchange Online PowerShell" or | ||
| "Exchange Web Services" or | ||
| "IMAP4" or | ||
| "MAPI Over HTTP" or | ||
| "Offline Address Book" or | ||
| "Outlook Anywhere" or | ||
| "Outlook Service" or | ||
| "POP3" or | ||
| "Reporting Web Services" or | ||
| "Other clients" | ||
| ) | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1078" | ||
| name = "Valid Accounts" | ||
| reference = "https://attack.mitre.org/techniques/T1078/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1078.004" | ||
| name = "Cloud Accounts" | ||
| reference = "https://attack.mitre.org/techniques/T1078/004/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1078" | ||
| name = "Valid Accounts" | ||
| reference = "https://attack.mitre.org/techniques/T1078/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1078.004" | ||
| name = "Cloud Accounts" | ||
| reference = "https://attack.mitre.org/techniques/T1078/004/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" | ||
|
|
||
| [rule.new_terms] | ||
| field = "new_terms_fields" | ||
| value = ["azure.signinlogs.properties.user_principal_name"] | ||
| [[rule.new_terms.history_window_start]] | ||
| field = "history_window_start" | ||
| value = "now-7d" | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
122 changes: 122 additions & 0 deletions
122
...integrations/o365/initial_access_identity_ropc_grant_via_legacy_authenticated_client.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,122 @@ | ||||||
| [metadata] | ||||||
| creation_date = "2026/07/02" | ||||||
| integration = ["o365"] | ||||||
| maturity = "production" | ||||||
| updated_date = "2026/07/02" | ||||||
|
|
||||||
| [rule] | ||||||
| author = ["Elastic"] | ||||||
| description = """ | ||||||
| Identifies a successful login by a user principal through a legacy authenticated client (such as Authenticated SMTP, | ||||||
| IMAP, POP, or Exchange ActiveSync) in the Microsoft 365 Unified Audit Log, evidenced by the "BAV2ROPC" user agent. | ||||||
| Legacy basic-authentication clients are translated by Entra ID into a Resource Owner Password Credentials (ROPC) grant, | ||||||
| a single-factor flow that submits the user's password directly and bypasses interactive multi-factor authentication. | ||||||
| This is commonly abused during password spraying and account takeover. | ||||||
| """ | ||||||
| from = "now-9m" | ||||||
| index = ["filebeat-*", "logs-o365.audit-*"] | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| language = "kuery" | ||||||
| license = "Elastic License v2" | ||||||
| name = "M365 Identity OAuth ROPC Grant via Legacy Authentication Client" | ||||||
| note = """## Triage and analysis | ||||||
| ### Investigating M365 Identity OAuth ROPC Grant via Legacy Authentication Client | ||||||
| The Resource Owner Password Credentials (ROPC) flow allows a client to obtain tokens by submitting a user's credentials directly, without interactive sign-in. Legacy authentication clients (Authenticated SMTP, IMAP, POP, Exchange ActiveSync) that use basic authentication are translated by Entra ID into ROPC grants, which are single-factor and bypass interactive MFA. Microsoft 365 records these logins in the Unified Audit Log as `UserLoggedIn` events with the `BAV2ROPC` user agent. Adversaries abuse this flow for password spraying and account takeover against accounts that lack MFA enforcement or fall outside legacy-authentication blocking. | ||||||
| This rule identifies a successful ROPC/legacy-client login for a user principal not seen performing this activity in the last 10 days. Because the Unified Audit Log is a separate pipeline from the Entra ID sign-in diagnostic stream, this rule provides coverage even when non-interactive sign-in logs are not forwarded to the SIEM. | ||||||
|
|
||||||
| ### Possible investigation steps | ||||||
| - Review `o365.audit.UserId` to identify the account that authenticated and determine whether it is expected to use legacy authentication clients. | ||||||
| - Review `o365.audit.ApplicationId` and `o365.audit.Target.ID` to identify the targeted resource. `00000002-0000-0ff1-ce00-000000000000` is Office 365 Exchange Online, the typical target of Authenticated SMTP. | ||||||
| - Confirm the client via `user_agent.original: "BAV2ROPC"`, which indicates a legacy basic-authentication client translated into a ROPC grant. | ||||||
| - Review `o365.audit.ClientIP` / `source.ip` and geolocation to determine whether the source is expected for this user. Correlate with known-malicious infrastructure or unusual ASNs. | ||||||
| - Pivot on `o365.audit.UserId` in Entra ID Sign-In Logs (`logs-azure.signinlogs-*`) to corroborate the login, and look for a preceding burst of failed authentications (password spraying) from the same source or against the same account. | ||||||
| - Review subsequent activity by the account (mailbox access, rule creation, mail forwarding, OAuth consent) for signs of post-compromise actions on objectives. | ||||||
| ### False positive analysis | ||||||
| - Legitimate legacy applications, service accounts, or scripts that still rely on Authenticated SMTP or other basic-authentication clients may trigger this rule. Validate the account, source, and business purpose, and exclude confirmed benign service accounts. | ||||||
| - Multifunction devices, scan-to-email appliances, and monitoring tools that submit mail via Authenticated SMTP can generate this activity. These are typically stable in source IP and account and can be excluded once verified. | ||||||
| ### Response and remediation | ||||||
| - If the login is confirmed malicious, disable the account, revoke active sessions and refresh tokens, and reset the password. | ||||||
| - Disable SMTP AUTH and other legacy authentication for the affected mailbox (`Set-CASMailbox -SmtpClientAuthenticationDisabled $true`) and, where feasible, tenant-wide. | ||||||
| - Enforce a Conditional Access policy that requires MFA and blocks legacy authentication for the affected user and, ideally, all users. | ||||||
| - Investigate the source IP and any preceding failed-authentication activity to scope a potential password-spray campaign. | ||||||
| - Review the account's activity after the login (mailbox rules, forwarding, delegate changes, OAuth grants) and remediate any unauthorized changes. | ||||||
| """ | ||||||
| references = [ | ||||||
| "https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign", | ||||||
| "https://redcanary.com/blog/threat-detection/bav2ropc/", | ||||||
| "https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc", | ||||||
| "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema", | ||||||
| "https://www.huntress.com/blog/lshiy-password-spray-attack", | ||||||
| ] | ||||||
| risk_score = 47 | ||||||
| rule_id = "3d753eb2-68c4-404a-9279-91a3ad490765" | ||||||
| severity = "medium" | ||||||
| tags = [ | ||||||
| "Domain: Cloud", | ||||||
| "Domain: Identity", | ||||||
| "Data Source: Microsoft 365", | ||||||
| "Data Source: Microsoft 365 Audit Logs", | ||||||
| "Use Case: Identity and Access Audit", | ||||||
| "Tactic: Initial Access", | ||||||
| "Tactic: Defense Evasion", | ||||||
| "Resources: Investigation Guide", | ||||||
| ] | ||||||
| timestamp_override = "event.ingested" | ||||||
| type = "new_terms" | ||||||
|
|
||||||
| query = ''' | ||||||
| data_stream.dataset: "o365.audit" and | ||||||
| event.code: "AzureActiveDirectoryStsLogon" and | ||||||
| event.action: "UserLoggedIn" and | ||||||
| user_agent.original: "BAV2ROPC" and | ||||||
| event.outcome: "success" | ||||||
| ''' | ||||||
|
|
||||||
|
|
||||||
| [[rule.threat]] | ||||||
| framework = "MITRE ATT&CK" | ||||||
| [[rule.threat.technique]] | ||||||
| id = "T1078" | ||||||
| name = "Valid Accounts" | ||||||
| reference = "https://attack.mitre.org/techniques/T1078/" | ||||||
| [[rule.threat.technique.subtechnique]] | ||||||
| id = "T1078.004" | ||||||
| name = "Cloud Accounts" | ||||||
| reference = "https://attack.mitre.org/techniques/T1078/004/" | ||||||
|
|
||||||
|
|
||||||
|
|
||||||
| [rule.threat.tactic] | ||||||
| id = "TA0001" | ||||||
| name = "Initial Access" | ||||||
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||||||
| [[rule.threat]] | ||||||
| framework = "MITRE ATT&CK" | ||||||
| [[rule.threat.technique]] | ||||||
| id = "T1078" | ||||||
| name = "Valid Accounts" | ||||||
| reference = "https://attack.mitre.org/techniques/T1078/" | ||||||
| [[rule.threat.technique.subtechnique]] | ||||||
| id = "T1078.004" | ||||||
| name = "Cloud Accounts" | ||||||
| reference = "https://attack.mitre.org/techniques/T1078/004/" | ||||||
|
|
||||||
|
|
||||||
|
|
||||||
| [rule.threat.tactic] | ||||||
| id = "TA0005" | ||||||
| name = "Defense Evasion" | ||||||
| reference = "https://attack.mitre.org/tactics/TA0005/" | ||||||
|
|
||||||
| [rule.new_terms] | ||||||
| field = "new_terms_fields" | ||||||
| value = ["o365.audit.UserId"] | ||||||
| [[rule.new_terms.history_window_start]] | ||||||
| field = "history_window_start" | ||||||
| value = "now-7d" | ||||||
|
|
||||||
|
|
||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Should we exclude filebeat?