Azure Entra ID Password Spraying (Non-Interactive SFA)

Last updated 15 days ago on 2025-03-20

Created a month ago on 2025-03-07

About

Identifies potential brute-force (password spraying) attempts against Azure Entra ID user accounts by detecting a high number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services. Non-interactive SFA login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from acquired credentials via phishing, infostealers, or other means.

Tags

Domain: CloudData Source: AzureData Source: Entra IDData Source: Entra ID Sign-inUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Credential AccessLanguage: esql

Severity

medium

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Brute Force (T1110)(opens in a new tab or window)

False Positive Examples

Automated processes that attempt to authenticate using expired credentials or have misconfigured authentication settings may lead to false positives.

License

Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: azure(opens in a new tab or window)
Query

from logs-azure.signinlogs*
| keep
    @timestamp,
    event.dataset,
    event.category,
    azure.signinlogs.properties.is_interactive,
    azure.signinlogs.properties.authentication_requirement,
    azure.signinlogs.properties.resource_display_name,
    azure.signinlogs.properties.status.error_code,
    azure.signinlogs.properties.resource_service_principal_id,
    azure.signinlogs.category,
    event.outcome,
    azure.signinlogs.properties.user_principal_name,
    source.ip
// truncate the timestamp to a 10-minute window
| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)
| WHERE
  event.dataset == "azure.signinlogs"
  and event.category == "authentication"
  and azure.signinlogs.properties.is_interactive == false
  and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
  and event.outcome != "success"
  and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
    // for tuning review azure.signinlogs.properties.status.error_code
    // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

// count the number of unique user login attempts
| stats
    unique_user_login_count = count_distinct(azure.signinlogs.properties.resource_service_principal_id) by
        target_time_window,
        azure.signinlogs.properties.user_principal_name,
        azure.signinlogs.properties.status.error_code

// filter for >= 20 failed SFA auth attempts with the same error codes
| where unique_user_login_count >= 20

Install detection rules in Elastic Security

Detect Azure Entra ID Password Spraying (Non-Interactive SFA) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).