Threat Huntlowexperimental

Azure Sign-In With Axios User Agent

Detects sign-in attempts in Azure/Entra ID logs where the user agent contains "axios", indicating potential use of automated credential harvesting or AiTM phishing infrastructure. Axios is a Node.js HTTP client abused to intercept and replay stolen credentials and MFA tokens. When triaging results, analysts should: - Check the sign-in risk level, MFA status, and conditional access results for signs of bypass. - Look for sign-ins from unusual locations or IPs, especially if the same IP targets multiple accounts. - Prioritize successful sign-ins over failed ones, as they may indicate a completed credential replay or AiTM attack.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Marco Pedrinazzi (InTheCyber)Created Tue Apr 28ea1a07f0-3dac-47a2-aeb4-86f5379ba2b4cloud

Hunting Hypothesis

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        userAgent|contains: 'axios'
    condition: selection

False Positives

Legitimate internal or third-party applications built with Node.js that use Axios as their HTTP client for authenticating against Azure/Entra ID.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access TA0009 · Collection

Techniques

T1557 · Adversary-in-the-Middle

Other

detection.threat-hunting

Rule Metadata

Rule ID

ea1a07f0-3dac-47a2-aeb4-86f5379ba2b4

Status

experimental

Level

low

Type

Threat Hunt

Created

Tue Apr 28

Author

Marco Pedrinazzi (InTheCyber)

Path

rules-threat-hunting/cloud/azure/signin_logs/azure_ad_signin_axios_user_agent.yml

Raw Tags

attack.credential-accessattack.collectionattack.t1557detection.threat-hunting

View on GitHub