Entra ID User Sign-In via Unusual Legacy Authentication Client

Last updated 7 days ago on 2026-07-02
Created 7 days ago on 2026-07-02

About

Detects a successful sign-in by a Member user principal through a legacy authentication client (such as Authenticated SMTP, IMAP4, POP3, Exchange ActiveSync, Exchange Web Services, or other basic-authentication clients) in Microsoft Entra ID, where the user principal has not been seen using a legacy client in the last 7 days. Legacy authentication clients rely on basic authentication, do not support modern authentication or interactive multi-factor authentication, and are frequently abused by adversaries for password spraying and account takeover because they translate into single-factor Resource Owner Password Credentials (ROPC) grants. This is a New Terms rule that surfaces the first occurrence of legacy client authentication for a given user, which is unusual in most modern environments.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-In LogsUse Case: Identity and Access AuditTactic: Initial AccessTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.signinlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "azure.signinlogs" and event.action: "Sign-in activity" and event.outcome: "success" and azure.signinlogs.properties.user_type: "Member" and azure.signinlogs.properties.client_app_used: ( "Authenticated SMTP" or "Autodiscover" or "Exchange ActiveSync" or "Exchange Online PowerShell" or "Exchange Web Services" or "IMAP4" or "MAPI Over HTTP" or "Offline Address Book" or "Outlook Anywhere" or "Outlook Service" or "POP3" or "Reporting Web Services" or "Other clients" )

Install detection rules in Elastic Security

Detect Entra ID User Sign-In via Unusual Legacy Authentication Client in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).