heroui logo

M365 Identity OAuth ROPC Grant via Legacy Authentication Client

Elastic Detection Rules

View Source
Summary
This rule detects a successful login to Microsoft 365 that occurs via legacy authentication clients (Authenticated SMTP, IMAP, POP, or Exchange ActiveSync) which Microsoft Entra ID translates into a Resource Owner Password Credentials (ROPC) grant. The detection surfaces in the Microsoft 365 Unified Audit Log (o365.audit) as a UserLoggedIn event with the user_agent.original value BAV2ROPC, indicating a non-interactive, single-factor sign-in flow that bypasses interactive MFA. Such flows are commonly abused during password spraying and account takeover campaigns targeting accounts not enforcing MFA or blocked from legacy authentication. The rule looks for a successful ROPC/legacy-client login by a user principal within a recent window (not seen performing this activity in the last ~10 days) to identify anomalous mass or unusual usage patterns that may indicate compromise. It relies on o365.audit fields such as UserId, ApplicationId, and Client IP, and cross-references with Entra ID sign-in telemetry for corroboration. The detection signature is defined by a query against the o365.audit dataset (event.code: AzureActiveDirectoryStsLogon, event.action: UserLoggedIn, event.outcome: success, user_agent.original: BAV2ROPC). MITRE ATT&CK mappings link this to Initial Access (T1078, with T1078.004 Cloud Accounts) and Defense Evasion, reflecting the use of valid accounts via cloud-based credential flows for unauthorized access. Investigations should verify the account and source, confirm the client type, assess related activity (mailbox access, forwarding, OAuth grants), and correlate with failed sign-in bursts. Remediation guidance includes disabling the affected account, turning off legacy authentication (SMTP/IMAP/POP, etc.), enforcing MFA, and reviewing for post-compromise actions. False positives may include legitimate legacy apps, service accounts, or stable devices that legitimately use Authenticated SMTP.
Categories
  • Cloud
  • Identity Management
Data Sources
  • Cloud Service
  • Application Log
ATT&CK Techniques
  • T1078
  • T1078.004
Created: 2026-07-02