Bypass Record

Valid Accounts × Microsoft corporate environment (Exchange Online, OAuth applications)

A publicly-reported instance of Valid Accounts bypassing Microsoft corporate environment (Exchange Online, OAuth applications), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft corporate environment (Exchange Online, OAuth applications)

Technique

Valid Accounts

MITRE ATT&CK

T1078

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-01-20

Config / version noted

Not stated

Provenance

www.microsoft.com
disclosed 2024-01-26 · original source · via raw
www-s1.npr.org
disclosed 2024-01-20 · original source · via raw

Reported as

actor gained initial access via password spray on a legacy non-production test tenant without MFA

Mechanism

Password spray attack against a legacy test tenant account lacking MFA, using low-volume attempts from distributed residential proxies to evade detection. After compromise, the actor identified and compromised a legacy test OAuth application with elevated access, created additional malicious OAuth applications, and used a newly created user account to grant consent. This allowed persistent access and lateral movement to corporate email accounts.

Detection & mitigation

Monitor for password spray attempts via Azure AD sign-in logs (error codes 50053, 50055, 50057) and unusual EWS activity. Audit OAuth application permissions and consent grants, especially for legacy or high-privilege apps. Enforce MFA and conditional access to block legacy authentication.

Valid Accounts has also been recorded against

CrowdStrike SK Shieldus SOCFortress Tripwire

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.