Adversaries may attempt to exhaust authentication credentials by triggering repeated failed login attempts through specific authentication types, indicating potential credential stuffing or brute force attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unauthorized access attempts before they lead to successful compromises.
KQL Query
EmailEvents
| where Timestamp > ago (30d)
| project Timestamp, AR=parse_json(AuthenticationDetails), NetworkMessageId, EmailDirection, SenderFromAddress, ThreatTypes, DetectionMethods
| evaluate bag_unpack(AR)
| where DMARC == "fail"
| summarize count() by bin(Timestamp, 1d)
id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
name: Authentication failures by time and authentication type
description: |
This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
description-detailed: |
This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (30d)
| project Timestamp, AR=parse_json(AuthenticationDetails), NetworkMessageId, EmailDirection, SenderFromAddress, ThreatTypes, DetectionMethods
| evaluate bag_unpack(AR)
| where DMARC == "fail"
| summarize count() by bin(Timestamp, 1d)
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backups using a service account
Description: A backup tool (e.g., Veeam, Commvault) authenticates to a file server or cloud storage using a service account, which may result in multiple authentication failures during initial connection or credential refresh.
Filter/Exclusion: Exclude events where the source IP is from the internal network and the username matches the backup service account.
Scenario: Admin task to reset user passwords via a script
Description: An admin runs a script (e.g., using PowerShell or a custom tool) to reset multiple user passwords, which may cause temporary authentication failures during the password change process.
Filter/Exclusion: Exclude events where the username is a known admin account and the event source is a local admin workstation or a management console.
Scenario: DKIM signature validation by email security gateway
Description: An email security appliance (e.g., Cisco Secure Email Gateway, Microsoft Defender for Office 365) attempts to validate DKIM signatures, which may result in authentication failures if the domain’s DNS records are temporarily unreachable.
Filter/Exclusion: Exclude events where the authentication type is DKIM and the source IP is the email security gateway’s internal IP.
Scenario: CompAuth (Component Authentication) during application patching
Description: A patching tool (e.g., Microsoft Update, SCCM) authenticates to a server using CompAuth to apply updates, which may trigger authentication failures if the service account credentials are temporarily invalid or expired.
Filter/Exclusion: Exclude events where the authentication type is CompAuth and the event source is a patching tool or a configuration management server.
Scenario: SPM (Secure Password Manager) synchronization with a password vault
Description: A password synchronization job (e.g., using SPM or HashiCorp Vault) authenticates to a password vault to