Detect Microsoft Entra ID Session Token Theft and Replay in Splunk
Session token theft (also called token replay or pass-the-cookie) is one of the most prevalent identity attacks targeting Microsoft 365 and Entra ID in 2025-2026. Adversaries use adversary-in-the-middle (AiTM) proxy frameworks (Evilginx2, Modlishka, Muraena, Tycoon 2FA, EvilProxy) to intercept valid session cookies from M365 sign-in flows, then replay those cookies to authenticate as the victim without needing their credentials or MFA code. The attack works because Microsoft's authentication cookies are bound to the browser session but not to the originating IP — replaying the cookie from a different IP is detected by Entra ID's risk engine but is not blocked by default. Scattered Spider and Storm-0539 are documented using this technique at scale against SMBs and mid-market organisations, primarily targeting financial fraud (payment diversion, payroll fraud) and IT admin compromise to then facilitate SIM swapping.
MITRE ATT&CK
- Tactic
- Credential Access Defense Evasion
SPL Detection Query
index=azure sourcetype="azure:aad:signin"
properties.status.error_code=0
| eval ip=properties.ip_address
| eval location=properties.location
| eval user=properties.user_principal_name
| eval mfa_used=if(match(properties.authentication_details, "(?i)(MFA|Passwordless|FIDO)"), "true", "false")
| sort user, _time
| streamstats current=false last(ip) AS prev_ip, last(location) AS prev_location,
last(_time) AS prev_time, last(mfa_used) AS prev_mfa BY user
| eval time_diff_minutes=(_time - prev_time) / 60
| eval impossible_travel=if(
isnotnull(prev_ip) AND ip != prev_ip AND location != prev_location AND
time_diff_minutes > 0 AND time_diff_minutes < 60,
"true", "false"
)
| eval token_replay=if(
mfa_used="false" AND prev_mfa="true" AND isnotnull(prev_ip) AND ip != prev_ip,
"POSSIBLE_TOKEN_REPLAY", "NORMAL"
)
| where impossible_travel="true" OR token_replay="POSSIBLE_TOKEN_REPLAY"
| table _time, user, ip, location, prev_ip, prev_location,
time_diff_minutes, impossible_travel, token_replay, mfa_used, prev_mfa
| eval ThreatActors="Scattered Spider, Midnight Blizzard, Storm-0539"
| sort - _timeSPL detection for Entra ID session token theft using Azure AD sign-in telemetry. Uses streamstats to detect impossible travel (two sign-ins from different geolocations within 60 minutes) and MFA downgrade indicators (second sign-in without MFA following first with MFA, from a different IP — classic token replay pattern).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Business travellers using multiple network connections during transit
- Users with split-tunnel VPN that creates location inconsistencies
- M365 mobile app sign-ins using carrier data with VPN active on laptop (different apparent IPs for same session)
Other platforms for THREAT-EntraID-TokenTheft
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Session Cookie Replay using Evilginx2 Captured Cookie
Expected signal: Azure AD Sign-in logs record a session established from the test IP without MFA, using the replayed cookie. Entra ID Identity Protection may generate an 'Unfamiliar sign-in properties' risk event.
References (5)
- https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
- https://www.ncsc.gov.uk/blog-post/phishing-attacks-mitm-proxies
- https://www.crowdstrike.com/blog/scattered-spider-aitm-phishing/
- https://attack.mitre.org/techniques/T1539/
- https://github.com/kgretzky/evilginx2
Unlock Pro Content
Get the full detection package for THREAT-EntraID-TokenTheft including response playbook, investigation guide, and atomic red team tests.