Which SIEM platforms have a THREAT-EntraID-TokenTheft detection rule?

df00tech provides THREAT-EntraID-TokenTheft (Microsoft Entra ID Session Token Theft and Replay) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the THREAT-EntraID-TokenTheft detection?

The THREAT-EntraID-TokenTheft detection is rated critical severity with high confidence.

What are common false positives for THREAT-EntraID-TokenTheft?

Common false positives for THREAT-EntraID-TokenTheft include: Users legitimately travelling who sign in from airports, hotels, or multiple mobile data providers within a short window; Shared accounts used by multiple team members from different locations (should be eliminated as an SMB practice); VPN use that changes apparent location between sign-ins (user connects to VPN on second sign-in but not first).

THREAT-EntraID-TokenTheft

Steal Web Session Cookie — Microsoft Entra ID Session Token Theft and Replay

Q: What data sources are required to detect Microsoft Entra ID Session Token Theft and Replay (THREAT-EntraID-TokenTheft)?

Detecting Microsoft Entra ID Session Token Theft and Replay requires the following data sources: Azure AD Sign-In Logs (AADSignInLogs), Azure AD Identity Protection (AADRiskyUsers, AADUserRiskEvents), Microsoft 365 Defender Advanced Hunting.

Credential Access Defense Evasion Last updated: June 20, 2026

Session token theft (also called token replay or pass-the-cookie) is one of the most prevalent identity attacks targeting Microsoft 365 and Entra ID in 2025-2026. Adversaries use adversary-in-the-middle (AiTM) proxy frameworks (Evilginx2, Modlishka, Muraena, Tycoon 2FA, EvilProxy) to intercept valid session cookies from M365 sign-in flows, then replay those cookies to authenticate as the victim without needing their credentials or MFA code. The attack works because Microsoft's authentication cookies are bound to the browser session but not to the originating IP — replaying the cookie from a different IP is detected by Entra ID's risk engine but is not blocked by default. Scattered Spider and Storm-0539 are documented using this technique at scale against SMBs and mid-market organisations, primarily targeting financial fraud (payment diversion, payroll fraud) and IT admin compromise to then facilitate SIM swapping.

What is THREAT-EntraID-TokenTheft Microsoft Entra ID Session Token Theft and Replay?

Microsoft Entra ID Session Token Theft and Replay (THREAT-EntraID-TokenTheft) is a sub-technique of Steal Web Session Cookie (T1539) in the MITRE ATT&CK framework. It maps to the Credential Access and Defense Evasion tactics — the adversary is trying to steal account names and passwords.

This page provides production-ready detection logic for Microsoft Entra ID Session Token Theft and Replay, covering the data sources and telemetry it touches: Azure AD Sign-In Logs (AADSignInLogs), Azure AD Identity Protection (AADRiskyUsers, AADUserRiskEvents), Microsoft 365 Defender Advanced Hunting. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Credential Access Defense Evasion

Microsoft Sentinel / Defender

kusto

// THREAT: Entra ID Session Token Theft & Replay (AiTM)
// Detects session token replay indicators: impossible travel, sign-in after
// MFA followed by no-MFA sign-in, new IP using existing session

// Alert 1: Impossible travel — same user, successful sign-in from two
// geographically distant IPs within a short time window
let MaxTravelTimeMinutes = 60;
let ImpossibleTravel = AADSignInLogs
| where TimeGenerated > ago(24h)
| where Status.errorCode == 0
| where IPAddress != "" and Location != ""
| summarize
    SignInTimes=make_list(TimeGenerated),
    IPs=make_list(IPAddress),
    Locations=make_list(Location),
    MFAResults=make_list(tostring(AuthenticationDetails))
  by UserPrincipalName
| mv-expand TimeGenerated=SignInTimes, IP=IPs, Location=Locations to typeof(string)
| order by UserPrincipalName, TimeGenerated asc
| extend PrevTime=prev(TimeGenerated), PrevIP=prev(IP), PrevLoc=prev(Location)
| where UserPrincipalName == prev(UserPrincipalName)
| extend TimeDiff = datetime_diff('minute', todatetime(TimeGenerated), todatetime(PrevTime))
| where TimeDiff between (1 .. MaxTravelTimeMinutes)
    and Location != PrevLoc
    and IP != PrevIP
| project TimeGenerated, UserPrincipalName, IP, Location, PrevIP, PrevLoc, TimeDiff
| extend ThreatType = "ImpossibleTravel_TokenReplay";
// Alert 2: Successful sign-in from IP not associated with the user's last 30 days
// with no MFA performed (token replay bypasses MFA)
let UserIPBaseline = AADSignInLogs
| where TimeGenerated between (ago(30d) .. ago(1d))
| where Status.errorCode == 0
| summarize KnownIPs=make_set(IPAddress) by UserPrincipalName;
AADSignInLogs
| where TimeGenerated > ago(24h)
| where Status.errorCode == 0
| where AuthenticationRequirement =~ "singleFactorAuthentication"
    or (AuthenticationDetails !has "MFA" and AuthenticationDetails !has "Passwordless")
| join kind=leftouter UserIPBaseline on UserPrincipalName
| where not(IPAddress in~ (KnownIPs))
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
    AppDisplayName, AuthenticationRequirement, AuthenticationDetails,
    RiskLevelDuringSignIn, ConditionalAccessStatus
| extend ThreatType = "NoMFA_NewIP_PossibleTokenReplay"

Dual-alert detection for Entra ID token theft: (1) impossible travel — two successful sign-ins from geographically distant locations within a short window, classic AiTM proxy indicator; (2) single-factor authentication from a new IP not seen in the user's 30-day baseline — indicates session token replay bypassing MFA. Both should be correlated with Conditional Access evaluation failures and Entra ID Identity Protection risk events.

critical severity high confidence

Data Sources

Azure AD Sign-In Logs (AADSignInLogs) Azure AD Identity Protection (AADRiskyUsers, AADUserRiskEvents) Microsoft 365 Defender Advanced Hunting

Required Tables

AADSignInLogs AADRiskyUsers

False Positives

Users legitimately travelling who sign in from airports, hotels, or multiple mobile data providers within a short window
Shared accounts used by multiple team members from different locations (should be eliminated as an SMB practice)
VPN use that changes apparent location between sign-ins (user connects to VPN on second sign-in but not first)
Users with MFA remembered on trusted devices who then sign in from a new device without MFA prompt (MFA remembered state is a Conditional Access configuration)

Sumo Logic CSE

sql

_sourceCategory=azure/aad/signin
| json field=_raw "properties.status.errorCode" as error_code
| json field=_raw "properties.userPrincipalName" as user
| json field=_raw "properties.ipAddress" as ip
| json field=_raw "properties.location" as location
| json field=_raw "properties.authenticationDetails" as auth_details
| where error_code = "0"
| where !isNull(user) and user != ""
| where !isNull(ip) and ip != ""
| eval mfa_used = if(matches(auth_details, "(?i)(MFA|Passwordless|FIDO)"), "true", "false")
| sort by user, _messageTime
| backshift field=ip as prev_ip by user
| backshift field=location as prev_location by user
| backshift field=_messageTime as prev_time by user
| backshift field=mfa_used as prev_mfa by user
| where !isNull(prev_ip)
| eval time_diff_minutes = (_messageTime - prev_time) / 60000
| eval impossible_travel = if(ip != prev_ip and location != prev_location and time_diff_minutes > 0 and time_diff_minutes < 60, "true", "false")
| eval token_replay = if(mfa_used = "false" and prev_mfa = "true" and ip != prev_ip, "POSSIBLE_TOKEN_REPLAY", "NORMAL")
| where impossible_travel = "true" or token_replay = "POSSIBLE_TOKEN_REPLAY"
| eval threat_type = if(impossible_travel = "true", "ImpossibleTravel_TokenReplay", "NoMFA_NewIP_TokenReplay")
| fields _messageTime, user, ip, location, prev_ip, prev_location, time_diff_minutes, impossible_travel, token_replay, mfa_used, prev_mfa, threat_type
| sort by -_messageTime

Detects Entra ID session token theft (AiTM) in Sumo Logic by parsing Azure AD sign-in JSON logs, then flagging impossible travel (same user, different geo IPs within 60 min) and MFA-downgrade events (prior MFA session followed by no-MFA sign-in from a new IP). Targets Scattered Spider, Storm-0539, and Midnight Blizzard TTPs.

high severity medium confidence

Data Sources

Microsoft Entra ID Sign-In Logs via Azure Event Hub or Blob Storage to Sumo Logic

Required Tables

_sourceCategory=azure/aad/signin

False Positives

VPN endpoints that rotate exit IPs causing apparent location changes
Users accessing M365 via corporate proxy then switching to mobile data
Conditional Access policies granting MFA exemptions for compliant/hybrid-joined devices
Federated identity providers that satisfy MFA upstream and do not report it in Entra ID auth details
Shared service accounts used from multiple geographic locations by a distributed team

Google Chronicle / SecOps

yaral

rule entra_id_token_theft_replay {
  meta:
    author = "df00tech"
    description = "Detects Entra ID session token theft and replay (AiTM) via impossible travel or MFA downgrade from a new IP"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access, Lateral Movement"
    mitre_attack_technique = "T1539, T1550.004"
    reference = "https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec/"
    threat_actors = "Scattered Spider, Storm-0539, Midnight Blizzard"

  events:
    // First sign-in event (baseline)
    $signin1.metadata.event_type = "USER_LOGIN"
    $signin1.metadata.product_name = "Azure Active Directory"
    $signin1.outcome.result = "SUCCESS"
    $signin1.principal.user.email_addresses[0] = $user
    $signin1.principal.ip = $ip1
    $signin1.principal.location.country_or_region = $loc1

    // Second sign-in event (suspicious)
    $signin2.metadata.event_type = "USER_LOGIN"
    $signin2.metadata.product_name = "Azure Active Directory"
    $signin2.outcome.result = "SUCCESS"
    $signin2.principal.user.email_addresses[0] = $user
    $signin2.principal.ip = $ip2
    $signin2.principal.location.country_or_region = $loc2

    // Temporal ordering and impossible travel conditions
    $signin2.metadata.event_timestamp.seconds > $signin1.metadata.event_timestamp.seconds
    ($signin2.metadata.event_timestamp.seconds - $signin1.metadata.event_timestamp.seconds) < 3600
    ($signin2.metadata.event_timestamp.seconds - $signin1.metadata.event_timestamp.seconds) > 60
    $ip1 != $ip2
    $loc1 != $loc2

  match:
    $user over 1h

  condition:
    $signin1 and $signin2
}

YARA-L 2.0 rule for Google Chronicle (SIEM) that detects Entra ID session token theft and replay. Correlates two successful Azure AD login events for the same user within a 1-hour window where the source IPs and geographic locations differ — a key indicator of AiTM cookie replay used by Scattered Spider and Storm-0539.

high severity medium confidence

Data Sources

Microsoft Entra ID Sign-In Logs ingested into Google Chronicle via the Entra ID Chronicle ingestion parser

Required Tables

USER_LOGIN UDM events from Azure Active Directory log source

False Positives

Users on split-tunnel VPNs where IP changes between authenticated requests appear as new geographic locations
Corporate mobility scenarios where employees roam between office Wi-Fi and cellular networks
Automated service accounts or CI/CD pipelines authenticating from multiple cloud regions
Cloud proxy or CASB solutions that rotate egress IPs transparently
Users in border regions whose IP geolocation alternates between two country codes

CrowdStrike LogScale (CQL)

cql

// Entra ID Session Token Theft & Replay — CrowdStrike Falcon LogScale (CQL)
// Requires: Microsoft 365 / Entra ID data ingested via CrowdStrike Falcon for Microsoft 365

#event_simpleName="AzureADSignIn" status.errorCode=0
| eval user=userPrincipalName, ip=ipAddress, loc=location, auth=authenticationDetails
| eval mfa_used=if(match(auth, "(?i)(MFA|Passwordless|FIDO)"), "true", "false")
| sort user, @timestamp
| groupBy([user], function=[
    collect([ip, loc, mfa_used, @timestamp], limit=1000)
  ])
// Flatten and compute sequential pairs
| mvexpand field=ip limit=1000
| rename ip as current_ip
// --- Impossible Travel sub-detection ---
// Join consecutive events per user and flag travel > impossible threshold
#event_simpleName="AzureADSignIn" status.errorCode=0
| eval user=userPrincipalName, ip=ipAddress, loc=location
| eval mfa_used=if(match(authenticationDetails, "(?i)(MFA|Passwordless|FIDO)"), "true", "false")
| sort user, @timestamp
| delta(field=@timestamp, as=time_diff_ms, window=1, partition=user)
| eval time_diff_minutes=time_diff_ms / 60000
| delta(field=ip, as=prev_ip_val, window=1, partition=user)
| delta(field=loc, as=prev_loc_val, window=1, partition=user)
| delta(field=mfa_used, as=prev_mfa_val, window=1, partition=user)
| eval impossible_travel=if(
    ip != prev_ip_val
    AND loc != prev_loc_val
    AND time_diff_minutes > 0
    AND time_diff_minutes < 60,
    "true", "false"
  )
| eval token_replay=if(
    mfa_used="false"
    AND prev_mfa_val="true"
    AND ip != prev_ip_val,
    "POSSIBLE_TOKEN_REPLAY", "NORMAL"
  )
| where impossible_travel="true" OR token_replay="POSSIBLE_TOKEN_REPLAY"
| eval threat_type=if(impossible_travel="true", "ImpossibleTravel_TokenReplay", "NoMFA_NewIP_TokenReplay")
| eval threat_actors="Scattered Spider, Storm-0539, Midnight Blizzard"
| table(@timestamp, user, ip, loc, prev_ip_val, prev_loc_val, time_diff_minutes, mfa_used, prev_mfa_val, threat_type, threat_actors)
| sort -@timestamp

CrowdStrike Falcon LogScale CQL query detecting Entra ID session token theft and replay (AiTM). Uses delta() to compute per-user sequential sign-in deltas, then flags impossible travel (two different geo IPs within 60 min) and MFA downgrade (prior MFA session followed by no-MFA sign-in from new IP). Covers Scattered Spider and Storm-0539 TTPs.

high severity medium confidence

Data Sources

Microsoft Entra ID Sign-In Logs via CrowdStrike Falcon for Microsoft 365 integration CrowdStrike Falcon Data Replicator with M365 connector

Required Tables

AzureADSignIn events in LogScale repository

False Positives

VPN split-tunnel configurations causing IP changes between authenticated API calls
Legitimate roaming users switching between office, hotel, and mobile hotspot networks
Conditional Access policies that explicitly exempt compliant devices from step-up MFA
Federated SSO where upstream IdP handles MFA and Entra ID does not record MFA in auth details
Automated scripts or service principals authenticating from multiple Azure regions using cached tokens

Sigma rule & cross-platform mapping

The detection logic for Microsoft Entra ID Session Token Theft and Replay (THREAT-EntraID-TokenTheft) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for THREAT-EntraID-TokenTheft Sigma rules on detection.fyi

Platform-specific guides for THREAT-EntraID-TokenTheft

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-20 Research depth: deep

References (3)

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Session Cookie Replay using Evilginx2 Captured Cookie
Expected signal: Azure AD Sign-in logs record a session established from the test IP without MFA, using the replayed cookie. Entra ID Identity Protection may generate an 'Unfamiliar sign-in properties' risk event.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-EntraID-TokenTheft including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Steal Web Session Cookie — Microsoft Entra ID Session Token Theft and Replay

What is THREAT-EntraID-TokenTheft Microsoft Entra ID Session Token Theft and Replay?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for THREAT-EntraID-TokenTheft

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

What is THREAT-EntraID-TokenTheft Microsoft Entra ID Session Token Theft and Replay?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for THREAT-EntraID-TokenTheft

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox