Secure Every Sign-In Through Conditional Access Policies

Observation Summary

Threat actors are going straight for the identity layer stealing credentials and identity systems to evade conventional defences. Phishing kits like AiTM and Evilginx, device-code attacks, and credential stuffing campaigns all take advantage of gaps in access controls.

One of the biggest blind spots: legacy authentication protocols (POP3, IMAP, SMTP, RPC). These older methods bypass modern security checks entirely, creating a “backdoor” into your environment.

In one recent campaign, attackers launched more than 9,000 automated legacy-login attempts across multiple regions, exploiting Entra ID’s fallback BAV2ROPC flow to skirt MFA and Conditional Access altogether.

This is where Conditional Access becomes critical. It enforces the right access controls at the right time—but remember, it’s applied after the first authentication factor succeeds.

That means MFA and other requirements kick in only once the initial credential check passes. Every interactive sign-in is evaluated in real-time against live policies and risk signals like user risk level, device compliance, and more.

What’s Happening

• Evolving Phishing and AiTM Tactics:
  • Attackers deploy sophisticated AiTM phishing kits (e.g., Evilginx, Muraena, Modlishka) that intercept MFA tokens in real time.
  • Victims authenticate successfully, but attackers capture access and refresh tokens, reusing them from different devices to impersonate users.
  • Microsoft reported a 146% YoY increase in AiTM phishing since 2024, highlighting the surge in session hijacking attempts.
• OAuth Consent and Device Flow Abuse:
  • Malicious OAuth applications trick users into granting elevated permissions such as Mail.ReadWrite or Files.Read.All
  • The Device Code OAuth flow, intended for headless devices, is being weaponized (e.g., Storm-2372 campaigns) to log in without MFA challenges.
• Session / Token Theft & Replay:
  • Attackers increasingly target Primary Refresh Tokens (PRTs) via infostealers or phishing.
  • A stolen PRT effectively functions as a persistent “cloud Golden Ticket,” providing long-term access even after password resets.
• Legacy Authentication Gaps:
  • Legacy protocols like IMAP, POP3, SMTP, RDP, and BAV2ROPC bypass modern CAP and MFA.
  • In a recent attack wave, adversaries automated 9,000+ legacy logins globally, exploiting Entra ID’s fallback password flow to access mailboxes and shared drives.

ProArch SOC Observations

Scenario 1: Missing CAP Enforcement on Risky Sign-in

A user clicked a phishing link that bypassed Defender filters. Azure AD flagged a High-Risk sign-in, but no CAP existed to block high-severity events.

The attacker accessed files before ProArch SOC intervened. SOC actions included forced password reset, session revocation and new CAP enforcement for high-risk sign-ins.

Scenario 2: Token Replay on Named Location

Repeated sign-ins were observed from a trusted location using an Android device. Azure’s Identity Protection marked them Medium Risk, but the CAP didn’t challenge medium-risk logins for MFA verification

After client validation, the sign-ins were confirmed malicious, although no malicious activity was done.

Why It Matters

• Data Exposure & Persistent Access: Stolen OAuth or refresh tokens grant attackers prolonged access to Exchange, SharePoint, and Teams.
  This undermines MFA, enables stealthy data exfiltration, and complicates post-incident remediation.
• Session Hijacking: Without token binding, attackers can reuse a session or refresh token from any device, effectively cloning a user’s authenticated state.
• OAuth Bypass: Consent phishing allows adversaries to exploit user-granted permissions for continuous access, often invisible to traditional CAP enforcement.
• Operational Blind Spots: Unprotected sign-ins (e.g., non-interactive, service accounts, legacy auth) bypass CAP entirely, allowing silent persistence.

Recommendations

• Risk- and Role-Scoped CAP Enforcement:
  • Create CAPs tied to Identity Protection risk signals.
  • Require re-authentication for Medium/High-risk logins, block high risk outright.
  • Apply stricter identity verification rules for privileged roles (admin, C-suite)
• Device & Token Binding:
  • Enable Token Protection in CAP to cryptographically bind refresh tokens to devices.
  • Restrict access to compliant or registered devices only for sensitive apps.
• Session Controls for Unmanaged Devices:
  • Block all Basic Auth and legacy endpoints such as IMAP, POP, ActiveSync, and suspicious user agents (BAV2ROPC, axios, python-requests, curl, etc.).
  • Continuously audit sign-ins for these user agents and trigger alerts.
• Legacy Protocol Lockdown:
  • Use Conditional Access Authentication Strength to require phish-resistant MFA methods (e.g., FIDO2 keys, Windows Hello for Business, Certificate-Based Authentication).
  • Apply these policies to privileged roles and sensitive apps to prevent MFA bypass or session hijacking.
• Phish-Resistant Authentication Enforcement:
  • Enable CAE to immediately revoke tokens when account risk increases, passwords reset, or user states change.
  • This ensures real-time enforcement across active sessions.
• Continuous Access Evaluation (CAE):
  • Enable CAE to immediately revoke tokens when account risk increases, passwords reset, or user states change.
  • This ensures real-time enforcement across active sessions.