LoFP LoFP / known legacy accounts

Techniques

Sample rules

Potential MFA Bypass Using Legacy Client Authentication

Description

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Detection logic

condition: selection
selection:
  Status: Success
  userAgent|contains:
  - BAV2ROPC
  - CBAinPROD
  - CBAinTAR