KQL Search

Query Details

18 Legacy Auth MFA Bypass

Query

id: f3a9b1c2-d7e8-0f4a-5b6c-7d8e9f0a1b2c
name: Legacy Authentication Bypassing MFA and Conditional Access
version: 1.0.0
kind: Scheduled
description: |
  Detects successful non-interactive sign-ins using legacy authentication protocols
  (Exchange ActiveSync, IMAP, POP3, SMTP, MAPI, etc.). These protocols cannot participate
  in MFA challenges or respond to Conditional Access policies, meaning any successful
  authentication completely bypasses your security controls. Attackers deliberately
  use legacy protocols to avoid MFA enforcement.
  MITRE ATT&CK: T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application)
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - DefenseEvasion
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078
  - T1550
query: |
  let LegacyProtocols = dynamic([
      "Exchange ActiveSync", "IMAP4", "MAPI Over HTTP",
      "POP3", "SMTP", "Authenticated SMTP", "AutoDiscover",
      "Exchange Online PowerShell", "Exchange Web Services",
      "Other clients", "Other clients; IMAP", "Other clients; POP"
  ]);
  AADNonInteractiveUserSignInLogs
  | where TimeGenerated > ago(1h)
  | where ClientAppUsed in (LegacyProtocols)
  | where ResultType == 0
  | summarize
      SignInCount = count(),
      IPs         = make_set(IPAddress),
      Countries   = make_set(Location),
      Protocols   = make_set(ClientAppUsed),
      FirstSeen   = min(TimeGenerated),
      LastSeen    = max(TimeGenerated)
    by UserPrincipalName, AppDisplayName
  | where SignInCount > 3
  | extend IPAddress = tostring(IPs[0])
  | order by SignInCount desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  SignInCount: SignInCount
  LegacyProtocols: Protocols
  Countries: Countries
  AppDisplayName: AppDisplayName
alertDetailsOverride:
  alertDisplayNameFormat: "Legacy Auth Bypass - {{UserPrincipalName}} using {{Protocols}}"
  alertDescriptionFormat: "User {{UserPrincipalName}} performed {{SignInCount}} non-interactive sign-ins using legacy protocols ({{Protocols}}) that bypass MFA and Conditional Access."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect security risks associated with the use of legacy authentication protocols in an organization's Azure Active Directory environment. Here's a simplified summary:

  • Purpose: The query identifies successful sign-ins using outdated protocols like Exchange ActiveSync, IMAP, POP3, and others. These protocols don't support Multi-Factor Authentication (MFA) or Conditional Access policies, making them a potential security risk as attackers can exploit them to bypass security measures.

  • Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-in logs.

  • Frequency: The query runs every hour and checks for sign-ins that occurred in the past hour.

  • Detection Criteria:

    • It looks for sign-ins using legacy protocols.
    • It filters for successful sign-ins (ResultType == 0).
    • It counts the number of sign-ins per user and application and flags cases where a user has more than three sign-ins using these protocols within the hour.

  • Output:

    • The query summarizes the number of sign-ins, the IP addresses used, countries of origin, and the protocols involved.
    • It orders the results by the number of sign-ins in descending order.

  • Alerting:

    • If the conditions are met, an alert is generated with details like the user's name, the protocols used, and the number of sign-ins.
    • The alert is configured to create an incident, grouping alerts by user account to manage them effectively.

  • Security Context: This query aligns with MITRE ATT&CK techniques related to valid accounts and exploiting public-facing applications, focusing on tactics like defense evasion, initial access, and credential access.

In essence, this query helps security teams identify and respond to potential security breaches where attackers might be using legacy protocols to bypass modern security controls.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryUserAccountIPAddressLocationClientAppUserPrincipalNameAppDisplayNameSignInCountTimeGenerated

Operators

letdynamicinwhere>ago==summarizecountmake_setminmaxbyextendtostringorder bydesc

Actions