Query Details

ROPC Credential Stuffing - Failed Password Grant Spray

24 ROPC Credential Stuffing

Query

let LegitRopcApps = dynamic([
    "Microsoft Authentication Broker",
    "Microsoft Intune Company Portal",
    "Azure AD Connect",
    "Microsoft Office",
    "Microsoft Office Authentication Broker"
]);
let SprayErrors = dynamic(["50126","50053","50056","50055","50064"]);
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol =~ "ropc"
| where ResultType in (SprayErrors)
| where AppDisplayName !in~ (LegitRopcApps)
| summarize
    FailCount = count(),
    Users     = dcount(UserPrincipalName),
    UserList  = make_set(UserPrincipalName, 50),
    Apps      = make_set(AppDisplayName),
    Errors    = make_set(ResultType),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by IPAddress, Location
| where FailCount >= 15 and Users >= 5
| order by FailCount desc

Explanation

This query is designed to detect suspicious activity that indicates credential-stuffing attacks using the ROPC (Resource Owner Password Credential) method. Here's a simple breakdown:

  1. Purpose: The query identifies patterns where a single IP address makes numerous failed login attempts using the ROPC protocol across multiple user accounts. This is often a sign of credential-stuffing attacks, which try to guess passwords by bypassing multi-factor authentication (MFA).

  2. Trigger Conditions: An alert is triggered if there are 15 or more failed login attempts (specific error codes) from the same IP address targeting at least 5 different user accounts within an hour.

  3. Exclusions: Known legitimate applications using ROPC are excluded from the analysis to reduce false positives. Additionally, IP addresses on an allowlist are ignored.

  4. Severity and Techniques: The alert is marked as high severity and relates to MITRE ATT&CK techniques for password spraying and using valid accounts.

  5. Data Source: The query uses logs from Azure Active Directory, specifically non-interactive user sign-in logs.

  6. Output: The query summarizes the number of failed attempts, distinct users targeted, and other details like the first and last time the activity was seen. It orders results by the number of failures.

  7. Alert Details: If the conditions are met, an alert is generated with details about the IP address, number of users targeted, and failure count. This alert can be grouped into incidents for further investigation.

Overall, this query helps security teams identify and respond to potential credential-stuffing attacks by monitoring failed login attempts using the ROPC protocol.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsIPAddressUserPrincipalNameAppDisplayNameResultTypeTimeGeneratedLocationMicrosoftAuthenticationBrokerMicrosoftIntuneCompanyPortalAzureADConnectMicrosoftOfficeMicrosoftOfficeAuthenticationBroker

Operators

letdynamicinvokeago=~in!in~summarizecountdcountmake_setminmaxbywhereorder bydesc

Severity

High

Tactics

CredentialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub