Query Details
Correlation Id Equals Tenant Id In Peculiar Password Spray
Query
// Threat actors were able to set the CorrelationId of the authentication to the same value as the TenantId that receives the authentication // This peculiar activity ceased on 20th November 2025 SigninLogs | where CorrelationId == AADTenantId or CorrelationId == HomeTenantId or CorrelationId == HomeTenantId or CorrelationId == AppOwnerTenantId or CorrelationId == ResourceOwnerTenantId // | where App == "0ec893e0-5785-4de6-99da-4ed124e5296c"// Microsoft 365 Copilot // | where ResourceIdentity == "4765445b-32c6-49b0-83e6-1d93765276ca"// OfficeHome // | where isempty(UserAgent)
Explanation
This query is analyzing authentication logs to identify a specific suspicious activity pattern. It is looking for instances where the CorrelationId of an authentication event matches any of the following tenant identifiers: AADTenantId, HomeTenantId, AppOwnerTenantId, or ResourceOwnerTenantId. This unusual behavior stopped occurring after November 20, 2025. The query includes commented-out lines that suggest additional filtering options, such as focusing on specific applications like Microsoft 365 Copilot or OfficeHome, or checking for events where the UserAgent field is empty.
Details
Jose Sebastián Canós
Released: December 18, 2025
Tables
SigninLogs
Keywords
SigninLogs
Operators
SigninLogs|where==or