In this module

EI0.5 Attack Patterns You Will Defend Against

50-70 minutes · Module 0 · Free

Operational Objective

Before you design any defense, you need to know what you are defending against. This subsection maps the specific identity attack techniques that this course teaches you to prevent, detect, and respond to. Each attack is described with enough detail that you understand how it works — and each is mapped to the module that teaches the defense. This is your threat model for the course.

Deliverable: A clear understanding of each identity attack technique, how it exploits a specific weakness in the authentication flow, which module teaches the defense, and the MITRE ATT&CK mapping for each technique.

⏱ Estimated completion: 12 minutes

The attacks and the defenses

This course is organized around attack techniques, not product features. You do not learn conditional access because it is a feature — you learn it because it stops specific attacks. Every module maps to one or more of the following attack patterns.

Figure EI0.5 - Attack Patterns You Will Defend Against

AiTM credential phishing

Adversary-in-the-middle credential phishing is the most significant identity attack technique in production today. The attacker sends a phishing email that directs the user to a proxy page — a server controlled by the attacker that sits between the user and the real Entra ID sign-in page. The user sees what appears to be a legitimate Microsoft sign-in experience. They enter their username and password. The proxy forwards these credentials to the real Entra ID endpoint. Entra ID challenges for MFA. The user completes the MFA challenge — approves a push notification, enters a code, taps their security key. The proxy captures the session token that Entra ID issues after successful authentication.

The attacker now possesses a valid session token that has already satisfied MFA. They replay this token from their own device, and Entra ID grants access because the token is valid. The user's MFA did not fail — it succeeded. The attacker simply intercepted the result.

This is why MFA alone does not stop AiTM. The defense requires a combination of controls: phishing-resistant authentication methods (FIDO2/passkeys, which verify the domain cryptographically and cannot be proxied), compliant device requirements (which ensure the token is issued to a managed device), and token protection (which binds the token to the device that completed authentication). EI2 covers the authentication methods, EI4 builds the conditional access policy combination, and EI7 covers token protection deployment.

Password spray

Password spray attacks target the authentication endpoint directly. The attacker tries a small number of common passwords (such as "Spring2026!" or "Welcome1") against a large number of accounts. Unlike brute force, which tries many passwords against one account, spray distributes the attempts across many accounts to stay below account lockout thresholds.

Password spray succeeds when users choose predictable passwords and when legacy authentication protocols (IMAP, POP3, SMTP Basic Auth) are still enabled — legacy protocols do not support MFA, so a correct password grants full access. The defense combines blocking legacy authentication (the single most impactful change), enabling Entra ID Password Protection with custom banned word lists, enforcing MFA for all users, and deploying Identity Protection to detect the spray pattern. EI2 covers password protection, EI4 builds the conditional access policies, and EI13 teaches the detection rules.

MFA fatigue

MFA fatigue exploits push notification MFA. The attacker has the user's password (from spray, breach data, or phishing) and repeatedly initiates sign-in attempts, each triggering a push notification to the user's Authenticator app. After receiving dozens of unexpected push prompts, some users will approve one — either out of confusion, to make the notifications stop, or because they believe the system is malfunctioning.

The primary defense is number matching — instead of a simple "Approve/Deny" prompt, the Authenticator shows a two-digit number that the user must enter from the sign-in screen. The attacker cannot see this number because they are not looking at the sign-in screen (it is on the real user's browser). Additional context (showing the application name and sign-in location on the prompt) further helps the user identify suspicious prompts. The ultimate defense is replacing push MFA with phishing-resistant authentication (passkeys or FIDO2 keys), which eliminates the prompt entirely. EI2 covers the method configuration and EI4 builds the policy enforcement.

Token theft and replay

Token theft occurs after successful authentication. The attacker obtains a valid access token, refresh token, or PRT from a compromised device — through malware that extracts browser cookies, through AiTM session capture, or through physical access to an unlocked workstation. They then replay this token from their own device.

The most common method is information-stealing malware — families like Raccoon Stealer, RedLine, and Lumma target browser cookie databases and extract session tokens for cloud services including Microsoft 365. The attacker does not need to know the user's password or bypass MFA — the token was issued after the user already completed both. The stolen cookie is imported into the attacker's browser, and they have a fully authenticated session. Sign-in logs may show the original legitimate authentication from the user's device, but the subsequent token usage from the attacker's device may appear as a non-interactive sign-in or may not generate a new sign-in event at all if the token is used directly against a resource API.

Expand for Deeper Context

The signs of token replay in the sign-in logs include: a sign-in from a new IP address or country shortly after a legitimate sign-in, a sign-in with "anomalous token" in the risk detections, a non-interactive sign-in from a device that is not the user's registered device, and (most critically) the absence of an MFA challenge on a sign-in that should have required one — because the replayed token has already satisfied MFA.

Token protection (EI7) is the primary defense against token replay. By binding tokens to the device that completed authentication, token protection ensures that a token replayed from a different device will fail validation. Continuous access evaluation (CAE) provides near-real-time revocation when Identity Protection detects anomalous token usage. Sign-in frequency controls limit how long any token remains valid. And endpoint protection — Credential Guard for PRT protection, device compliance enforcement — reduces the attacker's ability to extract tokens from managed devices in the first place.

Consent phishing does not steal the user's credentials at all. Instead, the attacker creates a malicious OAuth application and tricks the user into granting it permissions. The phishing email contains a link that opens the Entra ID consent prompt: "This application is requesting permission to: Read your email, Send email on your behalf, Access your files." If the user clicks "Accept," the attacker's application receives the requested permissions and can access the user's data directly through the Microsoft Graph API — without ever knowing the user's password.

What makes consent phishing particularly dangerous is persistence. The permissions granted through consent survive password resets, MFA re-enrollment, and session revocation. The attacker's application has its own credentials — it does not depend on the user's authentication state at all. Even if you detect the compromise and reset every aspect of the user's account, the malicious application retains its granted permissions until someone explicitly reviews and revokes the consent grant. Many organizations do not have a process for reviewing application consent grants, which means the attacker's access can persist indefinitely.

Expand for Deeper Context

The audit log records consent grant events as "Consent to application" activities. The critical fields are the application name (often designed to look legitimate — "Microsoft Security Update" or "Office 365 Compliance"), the permissions granted (look for Mail.ReadWrite, Mail.Send, Files.ReadWrite.All, User.Read.All), and the user who consented. EI13 builds the detection rule that monitors for these high-risk consent events.

The defense centers on restricting user consent. Blocking user consent entirely and implementing the admin consent workflow (EI9) means users cannot grant permissions to any application without administrator approval. Application governance policies in Defender for Cloud Apps can detect suspicious consent grants after the fact. Detection rules in EI13 monitor the audit log for high-risk consent events in real time.

Privilege escalation

Once inside an environment, attackers escalate privileges to expand access and establish persistence that survives remediation. The techniques are specific and well-documented:

Directory role modification — the attacker adds the compromised account (or a new account they created) to a privileged role such as Global Administrator, Exchange Administrator, or Application Administrator. With Global Administrator access, the attacker controls the entire tenant and can disable the security controls designed to detect them.

Expand for Deeper Context

Service principal credential addition — the attacker adds a new client secret or certificate to an existing service principal that has broad permissions. This is the most commonly missed persistence mechanism in cloud incident response. The service principal already exists legitimately, already has the permissions it needs, and the new credential the attacker added looks like any other credential rotation. The only sign is an audit log entry for "Add service principal credentials" — which is a routine event in most tenants.

Conditional access policy modification — the attacker weakens a conditional access policy to create an exception for their access. They might add a named location that includes their IP, exclude a user group that contains the compromised account, or change a policy from "Block" to "Report-only." These modifications appear as routine administrative actions in the audit log.

New application registration with broad permissions — the attacker creates a new application registration and grants it application-level permissions (such as Mail.ReadWrite, Directory.ReadWrite.All, or RoleManagement.ReadWrite.Directory). Application permissions do not require user context — the application can act on its own with full permissions. This is functionally equivalent to creating a new admin account, but it is harder to detect because it does not appear in the user sign-in logs.

PIM (EI6) mitigates role-based escalation by removing standing admin assignments. Conditional access policies for privileged roles (EI3) ensure that administrative actions require phishing-resistant MFA from compliant devices. Detection rules (EI13) monitor for role changes, service principal modifications, and conditional access policy changes. Application security (EI9) governs the creation and modification of application registrations.

Workload identity abuse

Service principals and application registrations have credentials (client secrets or certificates) that can be stolen like any other credential — but they cannot use MFA and often have broad permissions. An attacker who obtains a service principal's client secret can authenticate as that application and access any resource the application has permissions to.

The scale of the problem is significant. In a typical enterprise M365 tenant, workload identities outnumber human identities by a factor of five to ten. Many of these applications were registered years ago for projects that have since ended. Their credentials have not been rotated. Their permissions have not been reviewed. Their owners have left the organization. Each one is a potential entry point.

// EI0.5 — What does a password spray look like in your logs?
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 50126  // Invalid username or password
| summarize FailedAttempts = count(), TargetedAccounts = dcount(UserPrincipalName)
    by IPAddress
| where TargetedAccounts > 5
| order by TargetedAccounts desc
// IPs targeting 5+ accounts with wrong passwords = potential spray
// This is the DETECTION pattern you will build into a full rule in EI13

Expand for Deeper Context

The service principal sign-in logs (a separate log from user sign-in logs, accessed under the "Service principal sign-ins" tab in the Entra admin center) record every authentication by a workload identity. Most organizations never review these logs. An attacker using a compromised service principal credential would appear as a routine automated process — unless detection rules are monitoring for unusual sign-in patterns (new IP, new resource, unusual time) for service principal identities.

The defense hierarchy is: use managed identities where possible (they have no extractable credentials), use workload identity federation for external workloads (no secrets to steal), use certificates instead of client secrets for applications that cannot use managed identities, enforce conditional access for workload identities (EI10), and monitor service principal sign-in activity for anomalies.

Beyond this module

The IR course covers the investigation side of each attack technique: IR8 covers identity compromise investigation, IR11 covers Entra ID persistence (including service principal credential abuse and federation trust attacks), and IR13-IR16 include worked scenarios that exercise identity-based investigation skills. The M365 Security Operations course covers these techniques from a SOC alert triage perspective. This course focuses exclusively on prevention and detection — designing the controls that stop these attacks before they succeed.

Try it yourself

Try It — Prioritize Your Defenses

Exercise: Based on the seven attack patterns described above, rank which three are the highest priority for your environment (or an environment you manage). Consider: which attacks are most likely given your current authentication configuration, which would cause the most damage if successful, and which you currently have no defense against.

Write your top three and the module that addresses each one. This becomes your personal learning priority for the course — you may choose to complete those modules first rather than following the linear order.

⚠ Compliance Myth: "We passed our audit, so our identity security is adequate"

The myth: Our SOC 2 auditor reviewed our identity controls and we passed. That means our identity security is sufficient.

The reality: Compliance audits verify that controls exist and that evidence of their operation can be produced. They do not verify that the controls are effective against current attack techniques. An organization can pass a SOC 2 audit with password-based MFA that is vulnerable to AiTM, with conditional access policies that do not cover all applications, with standing Global Administrator assignments, and with no monitoring for consent phishing. Compliance is the minimum bar — operational security is the goal. This course teaches the operational controls; the GRC course (Practical GRC for Security Professionals) teaches how to map those controls to compliance frameworks and produce the audit evidence.

📋 Investigation Artifact — Identity Threat Model

Use this as the threat model for identity security planning and prioritization:

Identity Threat Model — [Organization Name]

Date: [Assessment date]

Attack Technique: MITRE ATT&CK — Current Defense Status — Priority — Course Module

---: --- — --- — --- — ---

AiTM credential phishing: T1557, T1539 — [None / Partial / Implemented] — [Critical / High / Medium] — EI2, EI4, EI7

Password spray: T1110.003 — [None / Partial / Implemented] — [Critical / High / Medium] — EI2, EI4, EI13

MFA fatigue: T1621 — [None / Partial / Implemented] — [Critical / High / Medium] — EI2, EI4

Token theft / replay: T1539, T1550.001 — [None / Partial / Implemented] — [Critical / High / Medium] — EI7, EI4

Consent phishing: T1098.003 — [None / Partial / Implemented] — [Critical / High / Medium] — EI4, EI9

Privilege escalation: T1078.004, T1098 — [None / Partial / Implemented] — [Critical / High / Medium] — EI6, EI9, EI13

Workload identity abuse: T1098.001 — [None / Partial / Implemented] — [Critical / High / Medium] — EI4, EI10

Top 3 priorities: [List based on your assessment]

Next action: Complete the corresponding course modules and deploy the defenses.

Compliance mapping: Threat modeling supports SOC 2 CC3.2 (Risk Assessment), ISO 27001 A.8.2 (Information Classification), and NIST CSF ID.RA (Risk Assessment).

Decision point

You are reviewing NE's Entra ID security posture. You find 4 accounts with Global Administrator role, but NE's policy says maximum 2. The extra 2 were added during the AiTM incident for emergency response and never removed. Do you remove them?

Remove them — but through the proper process, not unilaterally. Notify the account owners that their emergency GA assignment is being revoked, confirm they have their standard role assignments restored, and document the removal with the rationale ('emergency assignment during INC-NE-2026-0227-001, no longer required'). Then add a PIR action item: 'Implement PIM time-limited role assignments for future incident response — emergency GA assignments auto-expire after 8 hours rather than persisting indefinitely.' The stale emergency assignment is a governance failure, not a technical failure — the fix is procedural.

NE's Entra ID security audit reveals: 4 Global Administrators (policy says 2), 23 users with Global Reader from a completed project, a break-glass account with no monitoring rule, and 3 guest accounts with no expiry date. Which finding is the highest priority?

The 4 Global Administrators — 2 extra GAs doubles the attack surface.

The break-glass account with no monitoring rule. The 4 GAs and stale Global Readers are governance issues that should be remediated — but they are existing conditions, not active threats. The unmonitored break-glass account is a critical detection gap: if the break-glass account is compromised or misused, the SOC has no alert. A break-glass account is excluded from CA policies by design — it is the most powerful and least restricted account in the tenant. Without monitoring, its compromise or misuse is invisible. Deploy the monitoring rule (any sign-in to the break-glass account = Severity 1 alert) before addressing the other findings.

The 23 stale Global Readers — this is the largest number of affected accounts.

The 3 guest accounts — external accounts without expiry are the highest risk.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
The Defense Design Method — the six-step framework applied to every identity control you'll build
EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain

Unlock the full course with Premium See Full Syllabus

← Previous Next →