THREAT-EntraID-TokenTheft CrowdStrike LogScale · LogScale

Detect Microsoft Entra ID Session Token Theft and Replay in CrowdStrike LogScale

Session token theft (also called token replay or pass-the-cookie) is one of the most prevalent identity attacks targeting Microsoft 365 and Entra ID in 2025-2026. Adversaries use adversary-in-the-middle (AiTM) proxy frameworks (Evilginx2, Modlishka, Muraena, Tycoon 2FA, EvilProxy) to intercept valid session cookies from M365 sign-in flows, then replay those cookies to authenticate as the victim without needing their credentials or MFA code. The attack works because Microsoft's authentication cookies are bound to the browser session but not to the originating IP — replaying the cookie from a different IP is detected by Entra ID's risk engine but is not blocked by default. Scattered Spider and Storm-0539 are documented using this technique at scale against SMBs and mid-market organisations, primarily targeting financial fraud (payment diversion, payroll fraud) and IT admin compromise to then facilitate SIM swapping.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Entra ID Session Token Theft & Replay — CrowdStrike Falcon LogScale (CQL)
// Requires: Microsoft 365 / Entra ID data ingested via CrowdStrike Falcon for Microsoft 365

#event_simpleName="AzureADSignIn" status.errorCode=0
| eval user=userPrincipalName, ip=ipAddress, loc=location, auth=authenticationDetails
| eval mfa_used=if(match(auth, "(?i)(MFA|Passwordless|FIDO)"), "true", "false")
| sort user, @timestamp
| groupBy([user], function=[
    collect([ip, loc, mfa_used, @timestamp], limit=1000)
  ])
// Flatten and compute sequential pairs
| mvexpand field=ip limit=1000
| rename ip as current_ip
// --- Impossible Travel sub-detection ---
// Join consecutive events per user and flag travel > impossible threshold
#event_simpleName="AzureADSignIn" status.errorCode=0
| eval user=userPrincipalName, ip=ipAddress, loc=location
| eval mfa_used=if(match(authenticationDetails, "(?i)(MFA|Passwordless|FIDO)"), "true", "false")
| sort user, @timestamp
| delta(field=@timestamp, as=time_diff_ms, window=1, partition=user)
| eval time_diff_minutes=time_diff_ms / 60000
| delta(field=ip, as=prev_ip_val, window=1, partition=user)
| delta(field=loc, as=prev_loc_val, window=1, partition=user)
| delta(field=mfa_used, as=prev_mfa_val, window=1, partition=user)
| eval impossible_travel=if(
    ip != prev_ip_val
    AND loc != prev_loc_val
    AND time_diff_minutes > 0
    AND time_diff_minutes < 60,
    "true", "false"
  )
| eval token_replay=if(
    mfa_used="false"
    AND prev_mfa_val="true"
    AND ip != prev_ip_val,
    "POSSIBLE_TOKEN_REPLAY", "NORMAL"
  )
| where impossible_travel="true" OR token_replay="POSSIBLE_TOKEN_REPLAY"
| eval threat_type=if(impossible_travel="true", "ImpossibleTravel_TokenReplay", "NoMFA_NewIP_TokenReplay")
| eval threat_actors="Scattered Spider, Storm-0539, Midnight Blizzard"
| table(@timestamp, user, ip, loc, prev_ip_val, prev_loc_val, time_diff_minutes, mfa_used, prev_mfa_val, threat_type, threat_actors)
| sort -@timestamp
high severity medium confidence

CrowdStrike Falcon LogScale CQL query detecting Entra ID session token theft and replay (AiTM). Uses delta() to compute per-user sequential sign-in deltas, then flags impossible travel (two different geo IPs within 60 min) and MFA downgrade (prior MFA session followed by no-MFA sign-in from new IP). Covers Scattered Spider and Storm-0539 TTPs.

Data Sources

Microsoft Entra ID Sign-In Logs via CrowdStrike Falcon for Microsoft 365 integrationCrowdStrike Falcon Data Replicator with M365 connector

Required Tables

AzureADSignIn events in LogScale repository

False Positives & Tuning

  • VPN split-tunnel configurations causing IP changes between authenticated API calls
  • Legitimate roaming users switching between office, hotel, and mobile hotspot networks
  • Conditional Access policies that explicitly exempt compliant devices from step-up MFA
  • Federated SSO where upstream IdP handles MFA and Entra ID does not record MFA in auth details
  • Automated scripts or service principals authenticating from multiple Azure regions using cached tokens

Other platforms for THREAT-EntraID-TokenTheft

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Session Cookie Replay using Evilginx2 Captured Cookie

    Expected signal: Azure AD Sign-in logs record a session established from the test IP without MFA, using the replayed cookie. Entra ID Identity Protection may generate an 'Unfamiliar sign-in properties' risk event.

Last updated: 2026-06-20 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for THREAT-EntraID-TokenTheft including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0005Defense Evasion

Parent Technique

T1539Steal Web Session Cookie

Related Techniques

T1539Steal Web Session CookieT1557.002ARP Cache PoisoningT1566.002Spearphishing LinkT1114.002Remote Email CollectionT1078.004Cloud Accounts

Same Tactic: Credential Access

Popular Detections