Microsoft Entra ID Session Token Theft and Replay

// THREAT: Entra ID Session Token Theft & Replay (AiTM)
// Detects session token replay indicators: impossible travel, sign-in after
// MFA followed by no-MFA sign-in, new IP using existing session

// Alert 1: Impossible travel — same user, successful sign-in from two
// geographically distant IPs within a short time window
let MaxTravelTimeMinutes = 60;
let ImpossibleTravel = AADSignInLogs
| where TimeGenerated > ago(24h)
| where Status.errorCode == 0
| where IPAddress != "" and Location != ""
| summarize
    SignInTimes=make_list(TimeGenerated),
    IPs=make_list(IPAddress),
    Locations=make_list(Location),
    MFAResults=make_list(tostring(AuthenticationDetails))
  by UserPrincipalName
| mv-expand TimeGenerated=SignInTimes, IP=IPs, Location=Locations to typeof(string)
| order by UserPrincipalName, TimeGenerated asc
| extend PrevTime=prev(TimeGenerated), PrevIP=prev(IP), PrevLoc=prev(Location)
| where UserPrincipalName == prev(UserPrincipalName)
| extend TimeDiff = datetime_diff('minute', todatetime(TimeGenerated), todatetime(PrevTime))
| where TimeDiff between (1 .. MaxTravelTimeMinutes)
    and Location != PrevLoc
    and IP != PrevIP
| project TimeGenerated, UserPrincipalName, IP, Location, PrevIP, PrevLoc, TimeDiff
| extend ThreatType = "ImpossibleTravel_TokenReplay";
// Alert 2: Successful sign-in from IP not associated with the user's last 30 days
// with no MFA performed (token replay bypasses MFA)
let UserIPBaseline = AADSignInLogs
| where TimeGenerated between (ago(30d) .. ago(1d))
| where Status.errorCode == 0
| summarize KnownIPs=make_set(IPAddress) by UserPrincipalName;
AADSignInLogs
| where TimeGenerated > ago(24h)
| where Status.errorCode == 0
| where AuthenticationRequirement =~ "singleFactorAuthentication"
    or (AuthenticationDetails !has "MFA" and AuthenticationDetails !has "Passwordless")
| join kind=leftouter UserIPBaseline on UserPrincipalName
| where not(IPAddress in~ (KnownIPs))
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
    AppDisplayName, AuthenticationRequirement, AuthenticationDetails,
    RiskLevelDuringSignIn, ConditionalAccessStatus
| extend ThreatType = "NoMFA_NewIP_PossibleTokenReplay"

index=azure sourcetype="azure:aad:signin"
properties.status.error_code=0
| eval ip=properties.ip_address
| eval location=properties.location
| eval user=properties.user_principal_name
| eval mfa_used=if(match(properties.authentication_details, "(?i)(MFA|Passwordless|FIDO)"), "true", "false")
| sort user, _time
| streamstats current=false last(ip) AS prev_ip, last(location) AS prev_location,
    last(_time) AS prev_time, last(mfa_used) AS prev_mfa BY user
| eval time_diff_minutes=(_time - prev_time) / 60
| eval impossible_travel=if(
    isnotnull(prev_ip) AND ip != prev_ip AND location != prev_location AND
    time_diff_minutes > 0 AND time_diff_minutes < 60,
    "true", "false"
  )
| eval token_replay=if(
    mfa_used="false" AND prev_mfa="true" AND isnotnull(prev_ip) AND ip != prev_ip,
    "POSSIBLE_TOKEN_REPLAY", "NORMAL"
  )
| where impossible_travel="true" OR token_replay="POSSIBLE_TOKEN_REPLAY"
| table _time, user, ip, location, prev_ip, prev_location,
    time_diff_minutes, impossible_travel, token_replay, mfa_used, prev_mfa
| eval ThreatActors="Scattered Spider, Midnight Blizzard, Storm-0539"
| sort - _time

sequence by user.name with maxspan=1h
  [authentication where event.dataset == "azure.signinlogs" and
   event.outcome == "success" and
   azure.signinlogs.properties.authentication_requirement != "multiFactorAuthentication"] as e1
  [authentication where event.dataset == "azure.signinlogs" and
   event.outcome == "success" and
   source.ip != e1.source.ip and
   geo.country_name != e1.geo.country_name]