legitimate non-interactive access to sharepoint online via the microsoft authentication broker may occur in enterprise environments, especially with mdm solutions or automated scripts. however, this should be explicitly allowed and monitored.

t1213
azure
elastic

Techniques

T1213

Sample rules

Microsoft Entra ID SharePoint Access for User Principal via Auth Broker

source: elastic
technicques:
- T1213

Description

This rule detects non-interactive authentication activity against SharePoint Online (Office 365 SharePoint Online) by a user principal via the Microsoft Authentication Broker application. The session leverages a refresh token or Primary Refresh Token (PRT) without interactive sign-in, often used in OAuth phishing or token replay scenarios.

Detection logic

event.dataset: "azure.signinlogs"
    and azure.signinlogs.properties.app_id: "29d9ed98-a469-4536-ade2-f981bc1d605e"
    and azure.signinlogs.properties.resource_id: "00000003-0000-0ff1-ce00-000000000000"
    and azure.signinlogs.identity: *
    and azure.signinlogs.properties.user_principal_name: *
    and azure.signinlogs.properties.incoming_token_type: ("refreshToken" or "primaryRefreshToken")
    and azure.signinlogs.properties.is_interactive: false