hunt-2025-038
Token Protection Switch with Different IP
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.
T1566
Entra
Threat Hunt Repository
7 threat hunts with detection queries and analytics
hunt-2025-039
User Authenticating to Azure CLI for First Time
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.
T1566
Entra
hunt-2025-040
Potential ConsentFix URL Match in Proxy
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.
T1566
Entra
hunt-2025-035
Sensitive Keyword Search via Graph
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.
T1134.001
Entra
hunt-2025-034
Potential Token Replay from Different ASNs
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.
T1134.001
Entra
hunt-2025-037
Spike in invalid token usage (50173)
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.
T1134.001
Entra
hunt-2025-036
Unbound Token Usage from High-Risk Apps
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.
T1134.001
Entra