Query Details

Legacy Authentication Bypassing MFA and Conditional Access

18 Legacy Auth MFA Bypass

Query

let LegacyProtocols = dynamic([
    "Exchange ActiveSync", "IMAP4", "MAPI Over HTTP",
    "POP3", "SMTP", "Authenticated SMTP", "AutoDiscover",
    "Exchange Online PowerShell", "Exchange Web Services",
    "Other clients", "Other clients; IMAP", "Other clients; POP"
]);
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ClientAppUsed in (LegacyProtocols)
| where ResultType == 0
| summarize
    SignInCount = count(),
    IPs         = make_set(IPAddress),
    Countries   = make_set(Location),
    Protocols   = make_set(ClientAppUsed),
    FirstSeen   = min(TimeGenerated),
    LastSeen    = max(TimeGenerated)
  by UserPrincipalName, AppDisplayName
| where SignInCount > 3
| extend IPAddress = tostring(IPs[0])
| order by SignInCount desc

Explanation

This query is designed to detect security risks associated with the use of legacy authentication protocols in an organization's Azure Active Directory environment. Here's a simplified summary:

  • Purpose: The query identifies successful sign-ins using outdated protocols like Exchange ActiveSync, IMAP, POP3, and others. These protocols don't support Multi-Factor Authentication (MFA) or Conditional Access policies, making them a potential security risk as attackers can exploit them to bypass security measures.

  • Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-in logs.

  • Frequency: The query runs every hour and checks for sign-ins that occurred in the past hour.

  • Detection Criteria:

    • It looks for sign-ins using legacy protocols.
    • It filters for successful sign-ins (ResultType == 0).
    • It counts the number of sign-ins per user and application and flags cases where a user has more than three sign-ins using these protocols within the hour.
  • Output:

    • The query summarizes the number of sign-ins, the IP addresses used, countries of origin, and the protocols involved.
    • It orders the results by the number of sign-ins in descending order.
  • Alerting:

    • If the conditions are met, an alert is generated with details like the user's name, the protocols used, and the number of sign-ins.
    • The alert is configured to create an incident, grouping alerts by user account to manage them effectively.
  • Security Context: This query aligns with MITRE ATT&CK techniques related to valid accounts and exploiting public-facing applications, focusing on tactics like defense evasion, initial access, and credential access.

In essence, this query helps security teams identify and respond to potential security breaches where attackers might be using legacy protocols to bypass modern security controls.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryUserAccountIPAddressLocationClientAppPrincipalNameDisplaySignInCountTimeGenerated

Operators

letdynamicinwhere>ago==summarizecountmake_setminmaxbyextendtostringorder bydesc

Severity

Medium

Tactics

DefenseEvasionInitialAccessCredentialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub