THREAT-EntraID-TokenTheft Microsoft Sentinel · KQL

Detect Microsoft Entra ID Session Token Theft and Replay in Microsoft Sentinel

Session token theft (also called token replay or pass-the-cookie) is one of the most prevalent identity attacks targeting Microsoft 365 and Entra ID in 2025-2026. Adversaries use adversary-in-the-middle (AiTM) proxy frameworks (Evilginx2, Modlishka, Muraena, Tycoon 2FA, EvilProxy) to intercept valid session cookies from M365 sign-in flows, then replay those cookies to authenticate as the victim without needing their credentials or MFA code. The attack works because Microsoft's authentication cookies are bound to the browser session but not to the originating IP — replaying the cookie from a different IP is detected by Entra ID's risk engine but is not blocked by default. Scattered Spider and Storm-0539 are documented using this technique at scale against SMBs and mid-market organisations, primarily targeting financial fraud (payment diversion, payroll fraud) and IT admin compromise to then facilitate SIM swapping.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// THREAT: Entra ID Session Token Theft & Replay (AiTM)
// Detects session token replay indicators: impossible travel, sign-in after
// MFA followed by no-MFA sign-in, new IP using existing session

// Alert 1: Impossible travel — same user, successful sign-in from two
// geographically distant IPs within a short time window
let MaxTravelTimeMinutes = 60;
let ImpossibleTravel = AADSignInLogs
| where TimeGenerated > ago(24h)
| where Status.errorCode == 0
| where IPAddress != "" and Location != ""
| summarize
    SignInTimes=make_list(TimeGenerated),
    IPs=make_list(IPAddress),
    Locations=make_list(Location),
    MFAResults=make_list(tostring(AuthenticationDetails))
  by UserPrincipalName
| mv-expand TimeGenerated=SignInTimes, IP=IPs, Location=Locations to typeof(string)
| order by UserPrincipalName, TimeGenerated asc
| extend PrevTime=prev(TimeGenerated), PrevIP=prev(IP), PrevLoc=prev(Location)
| where UserPrincipalName == prev(UserPrincipalName)
| extend TimeDiff = datetime_diff('minute', todatetime(TimeGenerated), todatetime(PrevTime))
| where TimeDiff between (1 .. MaxTravelTimeMinutes)
    and Location != PrevLoc
    and IP != PrevIP
| project TimeGenerated, UserPrincipalName, IP, Location, PrevIP, PrevLoc, TimeDiff
| extend ThreatType = "ImpossibleTravel_TokenReplay";
// Alert 2: Successful sign-in from IP not associated with the user's last 30 days
// with no MFA performed (token replay bypasses MFA)
let UserIPBaseline = AADSignInLogs
| where TimeGenerated between (ago(30d) .. ago(1d))
| where Status.errorCode == 0
| summarize KnownIPs=make_set(IPAddress) by UserPrincipalName;
AADSignInLogs
| where TimeGenerated > ago(24h)
| where Status.errorCode == 0
| where AuthenticationRequirement =~ "singleFactorAuthentication"
    or (AuthenticationDetails !has "MFA" and AuthenticationDetails !has "Passwordless")
| join kind=leftouter UserIPBaseline on UserPrincipalName
| where not(IPAddress in~ (KnownIPs))
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
    AppDisplayName, AuthenticationRequirement, AuthenticationDetails,
    RiskLevelDuringSignIn, ConditionalAccessStatus
| extend ThreatType = "NoMFA_NewIP_PossibleTokenReplay"
critical severity high confidence

Dual-alert detection for Entra ID token theft: (1) impossible travel — two successful sign-ins from geographically distant locations within a short window, classic AiTM proxy indicator; (2) single-factor authentication from a new IP not seen in the user's 30-day baseline — indicates session token replay bypassing MFA. Both should be correlated with Conditional Access evaluation failures and Entra ID Identity Protection risk events.

Data Sources

Azure AD Sign-In Logs (AADSignInLogs)Azure AD Identity Protection (AADRiskyUsers, AADUserRiskEvents)Microsoft 365 Defender Advanced Hunting

Required Tables

AADSignInLogsAADRiskyUsers

False Positives & Tuning

  • Users legitimately travelling who sign in from airports, hotels, or multiple mobile data providers within a short window
  • Shared accounts used by multiple team members from different locations (should be eliminated as an SMB practice)
  • VPN use that changes apparent location between sign-ins (user connects to VPN on second sign-in but not first)
  • Users with MFA remembered on trusted devices who then sign in from a new device without MFA prompt (MFA remembered state is a Conditional Access configuration)
Download portable Sigma rule (.yml)

Other platforms for THREAT-EntraID-TokenTheft

Splunk (SPL) Elastic Security (Elastic) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Session Cookie Replay using Evilginx2 Captured Cookie

    Expected signal: Azure AD Sign-in logs record a session established from the test IP without MFA, using the replayed cookie. Entra ID Identity Protection may generate an 'Unfamiliar sign-in properties' risk event.

Last updated: 2026-04-22 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-EntraID-TokenTheft including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1539Steal Web Session Cookie

Related Techniques

T1539Steal Web Session CookieT1557.002ARP Cache PoisoningT1566.002Spearphishing LinkT1114.002Remote Email CollectionT1078.004Cloud Accounts

Same Tactic: Credential Access

Popular Detections