Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Azure Login Bypassing Conditional Access Policies

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Josh Nickels, Marius RothenbücherCreated Wed Jan 0813f2d3f5-6497-44a7-bf5f-dc13ffafe5dccloud
Log Source
Microsoft 365audit
ProductMicrosoft 365← raw: m365
Serviceaudit← raw: audit
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Operation: 'UserLoggedIn'
        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
        ResultStatus: 'Success'
        RequestType: 'Cmsi:Cmsi'
    filter_main_bjectid:
        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
labs.jumpsec.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
Status
experimental
Level
high
Type
Detection
Created
Wed Jan 08
Author
Josh Nickels, Marius Rothenbücher
Path
rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078
View on GitHub