
Summary
Detects the first-ever sign-in by a Member user in Microsoft Entra ID that uses a legacy authentication client (basic authentication) such as Authenticated SMTP, IMAP4, POP3, Exchange ActiveSync, Exchange Web Services, or other legacy protocols. The rule fires when a Member sign-in event succeeds and the user has not been seen using a legacy client in the prior 7 days, marking a New Terms detection for an uncommon legacy sign-in in modern environments. Legacy clients are often abused for single-factor ROPC grants and password spraying, making this first-occurrence sign-in suspicious and warranting review. The detection is driven by the azure.signinlogs dataset and defines the legacy-client set via client_app_used values. It maps to MITRE ATT&CK techniques for Initial Access (T1078, with Cloud Accounts T1078.004) and Defense Evasion, signaling potential account compromise or unauthorized access attempts. The rule uses the first-occurrence window (history_window_start now-7d) to surface new legacy-client activity for a user and includes an Investigation/Remediation guide and references for contextual enrichment.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- Cloud Service
ATT&CK Techniques
- T1078
- T1078.004
Created: 2026-07-02