Sign In
In this module

EI0.6 The Identity Kill Chain

50-70 minutes · Module 0 · Free
Operational Objective
When a SOC alert fires for "suspicious sign-in activity," you need to understand where that alert sits in the broader attack lifecycle. Is this initial access or has the attacker already established persistence? Is this the beginning of the incident or are you seeing the middle? Understanding the identity kill chain — the sequence of steps an attacker follows when targeting Entra ID — lets you assess the severity of any identity alert, predict what the attacker will do next, and determine which defensive controls should have fired at each stage.
Deliverable: A complete understanding of the identity attack lifecycle mapped to Entra ID artifacts, the specific log entries and signals produced at each stage, and the defensive controls that this course teaches for each stage.
⏱ Estimated completion: 18 minutes

From reconnaissance to data exfiltration

The traditional cyber kill chain (Lockheed Martin's model) was designed for network-based attacks against on-premises infrastructure. The identity kill chain adapts this model for cloud identity attacks, where the "network" is the Entra ID authentication endpoint, the "weapons" are stolen credentials and tokens, and the "command and control" is legitimate Microsoft 365 API access.

Understanding each stage reveals two things: first, where your defensive controls should intercept the attack, and second, what evidence each stage produces in the Entra ID logs. The Defense Design Method applies at every stage — each has a specific attack technique, a specific control, and a specific verification query.

THE IDENTITY KILL CHAIN STAGE 1 — RECONNAISSANCE Attacker identifies target users, discovers email format, enumerates valid accounts Defense: Entra ID smart lockout, disable user enumeration endpoint Evidence: AADNonInteractiveUserSignInLogs — failed sign-ins to non-existent accounts STAGE 2 — INITIAL ACCESS AiTM phishing, password spray, MFA fatigue, credential stuffing Defense: Phishing-resistant MFA, block legacy auth, Identity Protection (EI2, EI4, EI5) Evidence: SigninLogs — successful sign-in from anomalous location/device STAGE 3 — PERSISTENCE Inbox rules, OAuth app registration, SP credential addition, federation trust Defense: Block user consent, app governance, audit log monitoring (EI9, EI13) Evidence: AuditLogs — consent grants, credential additions, inbox rule creation STAGE 4 — PRIVILEGE ESCALATION Role assignment, CA policy modification, app permission escalation Defense: PIM, CA for admins, role change detection rules (EI6, EI3, EI13) Evidence: AuditLogs — Add member to role, Update conditional access policy STAGE 5 — LATERAL MOVEMENT Access other users' mailboxes, SharePoint sites, Teams, cross-tenant access Defense: Least privilege, access reviews, session controls (EI12, EI3) Evidence: OfficeActivity, CloudAppEvents — access to resources outside normal scope STAGE 6 — DATA EXFILTRATION / IMPACT Email forwarding, file download, BEC wire fraud, data destruction Defense: DLP, sensitivity labels, auto-attack disruption (EI16, Defender XDR) Evidence: ExchangeAdmin — inbox rules, OfficeActivity — file downloads at scale Total attack duration: as little as 30 minutes for stages 2-6 Every stage produces evidence. The question is whether anyone is looking at it.
Figure EI0.6 - The Identity Kill Chain

Stage 1: Reconnaissance

Before the attacker sends a phishing email or launches a password spray, they gather information about the target organization. Identity reconnaissance in the cloud era is remarkably easy because much of the information is publicly accessible.

The Entra ID login page itself leaks information. When a user enters an email address, the login page responds differently depending on whether the account exists in the tenant. An attacker can enumerate valid accounts by submitting email addresses and observing the response — a technique known as user enumeration. Tools like o365creeper and MSOLSpray automate this process, testing thousands of email addresses in minutes. The sign-in logs record these failed authentication attempts, but most organizations do not monitor for the pattern: hundreds of single-attempt failures across many different usernames from the same IP range, each failing with "User does not exist."

// Detect account enumeration — multiple failed sign-ins across many accounts from few IPs
// This pattern indicates reconnaissance or early-stage password spray
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != 0                    // Failed sign-ins only
| summarize 
    FailedAccounts = dcount(UserPrincipalName),  // How many different accounts were attempted
    TotalAttempts = count(),                      // Total failed attempts
    AttemptedUsers = make_set(UserPrincipalName, 10)  // Sample of targeted accounts
    by IPAddress
| where FailedAccounts > 10                // Threshold: 10+ different accounts from same IP
| where TotalAttempts > 20                 // With at least 20 total attempts
| order by FailedAccounts desc
// Results: IPs targeting many accounts = likely enumeration or spray
// Normal users fail against 1-2 accounts (typos), not 10+
Expand for Deeper Context

LinkedIn, company websites, and email directories provide the naming format (firstname.lastname@company.com), department structures (which users are in finance — the most valuable targets for BEC), and executive names (the accounts most likely to have broad permissions and least likely to be questioned when they make unusual requests).

Microsoft's autodiscover and federation metadata endpoints can reveal whether the organization uses Entra ID, whether federation is configured, and what the tenant ID is. None of this requires authentication.

The defensive controls at this stage are limited but meaningful: Entra ID smart lockout detects rapid-fire authentication attempts and throttles them, and organizations can configure whether the login page reveals account existence or returns a generic error for all failures. EI4 covers the conditional access policies that complement smart lockout, and EI13 builds the detection rules that identify reconnaissance patterns in the sign-in logs.

The following KQL query identifies the reconnaissance pattern — multiple failed sign-in attempts across different usernames from the same IP range, which is a strong indicator of account enumeration or early-stage password spray:

This query is a preview of the detection engineering methodology in EI13. Every detection rule follows the same pattern: identify the behavior, set a threshold, reduce false positives through correlation, and map the detection to a specific kill chain stage.

Stage 2: Initial access

The attacker has identified their targets and chosen their technique. The initial access stage is where the attacker obtains a valid credential or token. This is the stage where the broadest set of defensive controls apply — and where the Defense Design Method has the most impact.

The techniques covered in EI0.5 all operate at this stage: AiTM credential phishing captures the session token after MFA (defeated by phishing-resistant authentication + token protection), password spray guesses common passwords across many accounts (defeated by blocking legacy auth + smart lockout + MFA), MFA fatigue bombards the user with push notifications (defeated by number matching + phishing-resistant auth), and credential stuffing uses credentials from other breaches (defeated by banned password lists + MFA).

Expand for Deeper Context

The sign-in log evidence at this stage is the most actionable. A successful sign-in from a new location, a new device, or a new IP address — particularly when combined with a risk detection from Identity Protection — is the primary indicator. The challenge is distinguishing a legitimate user traveling from an attacker who just compromised that user's credentials. This is exactly what Identity Protection's machine learning is designed to do, and why EI5's coverage of risk policy tuning is critical.

The time window at this stage is narrow. From the moment the attacker obtains a valid token, the clock is running. If your conditional access policies block the sign-in or your detection rules fire within minutes, the attack is contained at initial access. If the attacker has thirty minutes of undetected access, they move to persistence — and the incident becomes significantly harder to remediate.

Stage 3: Persistence

Within the first few minutes of access, a sophisticated attacker establishes persistence mechanisms that will survive the most common remediation actions. This is the stage that separates a nuisance from a serious incident.

The most common persistence mechanisms in Entra ID environments are inbox rules (forwarding financial emails to an external address — survives password reset), OAuth application consent (granting a malicious app Mail.ReadWrite — survives password reset and session revocation), service principal credential addition (adding a client secret to an existing SP — survives everything unless specifically reviewed), and in advanced attacks, federation trust manipulation (modifying the SAML signing certificate to forge tokens — survives everything including tenant-wide password resets).

Expand for Deeper Context

The audit log records every one of these actions. The challenge is that they look like legitimate administrative activity unless you know what to look for. An inbox rule creation is a normal user action. An application consent is something users do regularly (if consent is not blocked). A credential addition to a service principal happens during routine application maintenance. The detection rules in EI13 teach you to distinguish the malicious patterns from the benign ones — usually through correlation with the initial access sign-in event.

The key defensive control at this stage is prevention: if user consent for applications is blocked (EI9), the consent phishing persistence path is eliminated entirely. If service principal credential additions require privileged role activation through PIM (EI6), the SP credential abuse path requires an additional escalation step. If inbox rule creation triggers a Sentinel analytics rule (EI13), the email forwarding persistence is detected within minutes.

Stage 4: Privilege escalation

With persistence established, the attacker escalates to maximize access. The specific techniques depend on the attacker's sophistication and objectives.

At the most basic level, the attacker attempts to add the compromised account to a privileged directory role — Global Administrator provides unrestricted access to the entire tenant. If PIM is not enabled, this is a single Graph API call or a few clicks in the portal. If PIM is enabled, the attacker needs to activate the role, which triggers the additional verification requirements that PIM enforces (MFA, justification, approval). This is why PIM exists — not to prevent privilege escalation entirely, but to add barriers that slow the attacker and produce audit events that detection rules can catch.

Expand for Deeper Context

A more sophisticated attacker skips role escalation entirely and instead modifies conditional access policies to create a gap for their access path. They might add their IP to a named location that is trusted, or change a blocking policy to report-only mode. These modifications are recorded in the audit log as "Update conditional access policy" — a routine event in tenants with active security teams. EI8 covers conditional access change management and the detection rules that distinguish routine updates from malicious modifications.

The most sophisticated attackers target the application layer. They create a new application registration with application-level permissions (which do not require user context and do not appear in user sign-in logs) or they modify an existing application's permissions. Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, and Mail.ReadWrite are the most dangerous permissions — they provide the ability to modify the directory, manage roles, and read all mail in the tenant respectively. Application security (EI9) covers how to prevent unauthorized permission grants, and detection engineering (EI13) covers how to detect them.

Stage 5: Lateral movement

In cloud identity attacks, lateral movement does not look like lateral movement on a network. There is no PsExec, no RDP, no SMB traffic. Instead, the attacker uses the compromised identity's permissions — or newly escalated permissions — to access resources beyond the initial target.

A compromised finance manager's account might have access to the shared finance SharePoint site, the finance team's Teams channels, other team members' shared calendars, and (if the organization uses shared mailboxes) the accounts payable mailbox. The attacker does not need to compromise another user's account to access these resources — the legitimate permissions of the compromised account provide access.

Expand for Deeper Context

With escalated privileges, the scope expands. An attacker with Exchange Administrator permissions can access any mailbox in the organization using the FullAccess permission. An attacker with SharePoint Administrator permissions can access any site collection. An attacker who has registered a malicious application with Mail.ReadWrite application permission can read every user's email without any user-context authentication.

The evidence for this stage is in the OfficeActivity and CloudAppEvents logs — file access patterns, mailbox access patterns, and Teams activity that deviates from the compromised user's baseline. This is where the sign-in baseline you build in EI1 becomes critical: if you know the user normally accesses three SharePoint sites and their own mailbox, access to the CEO's mailbox and the finance team site at 3 AM from a foreign IP is immediately anomalous.

The defensive controls at this stage are least privilege (EI12 — access reviews that remove excessive permissions before an attacker can exploit them), session controls (EI3 — sign-in frequency and Conditional Access App Control that limits what the attacker can do within a session), and detection (EI13 — analytics rules that identify unusual access patterns).

Stage 6: Data exfiltration and impact

The final stage is where the attacker achieves their objective. The specific impact depends on the attacker's motivation: financial fraud (BEC wire transfer manipulation), data theft (downloading sensitive documents), espionage (reading executive communications), or destruction (deleting data, disabling accounts, ransomware deployment).

Business email compromise is the most financially damaging identity attack. The attacker uses the compromised account to insert themselves into an active financial conversation — typically an invoice payment thread — and redirects the payment to an attacker-controlled bank account. The FBI's Internet Crime Report consistently ranks BEC as the highest-loss cybercrime category, with billions of dollars in annual losses. The attack succeeds because the email comes from a legitimate internal account, the conversation thread is real, and the request appears to be a routine payment detail change.

Expand for Deeper Context

Data exfiltration through SharePoint and OneDrive is the most common data theft method. The attacker downloads files at scale — often using the OneDrive sync client or Graph API calls that download entire libraries. The sign-in logs may not show individual file accesses, but the OfficeActivity logs record every file operation. Detection rules in EI13 monitor for unusual download volumes.

Automatic attack disruption in Defender XDR (covered in EI16) is Microsoft's response to the speed of these attacks. When Defender XDR detects an in-progress attack with high confidence — typically correlating identity signals (anomalous sign-in) with behavior signals (inbox rule creation, mass file download) — it can automatically disable the compromised account and revoke all sessions without waiting for a human analyst. This reduces the response time from hours to seconds, but it depends on the detection signals being available and the automation being configured correctly.

Breaking the chain: where this course intervenes

The kill chain model reveals an important principle: you do not need to stop the attacker at every stage. You need to stop them at one stage — and the earlier, the better.

If you prevent initial access through phishing-resistant authentication and strong conditional access policies, stages 3-6 never happen. If the attacker gets past initial access but your detection rules catch the persistence mechanisms within minutes, the impact is contained. If the attacker establishes persistence but PIM prevents privilege escalation, the blast radius is limited to the compromised user's existing permissions.

This course is designed around this principle. The early modules (EI2 through EI7) focus on preventing initial access and limiting what an attacker can do if they get in. The later modules (EI9, EI10, EI12) reduce the blast radius by governing permissions and access. The detection modules (EI13, EI14) catch anything that gets through the preventive controls. And the capstone (EI17) assembles all of these into a layered architecture where the attacker must defeat multiple controls at multiple stages to succeed.

Beyond this module
The identity kill chain maps directly to the IR course's investigation methodology. IR8 (M365 Identity Compromise Investigation) teaches you to investigate stages 2-3. IR9 (Exchange Online Forensics) covers the evidence produced at stage 6. IR11 (Entra ID Investigation) covers the persistence and escalation artifacts at stages 3-4. The IR course follows the evidence after the attack succeeds. This course prevents the attack from succeeding.

Try it yourself

Try It — Map an Attack to the Kill Chain

Exercise: Consider this scenario: A user in your organization clicks a link in a phishing email. The link leads to an AiTM proxy page. The user enters their credentials and completes MFA. The attacker replays the captured session token, accesses the user's mailbox, creates an inbox rule forwarding invoice-related emails, downloads sensitive documents from SharePoint, and registers a malicious OAuth application with Mail.ReadWrite permissions.

Map each action to the kill chain stage (1-6). For each stage, identify which Entra ID log table would contain the evidence, and which module in this course teaches the defensive control that would have prevented that action.

This exercise previews the investigation methodology from the IR course while grounding it in the defensive framework of this course.

⚠ Compliance Myth: "Our incident response plan covers identity attacks"

The myth: We have an IR plan that includes identity compromise as a scenario. We are prepared.

The reality: Most IR plans describe identity compromise as "reset password and revoke sessions." That addresses stage 2 (initial access) but does nothing about stages 3-5. If the attacker registered a malicious OAuth application (stage 3), the application's credentials survive the password reset and session revocation. If the attacker added credentials to a service principal (stage 3), those credentials survive everything. If the attacker modified conditional access policies (stage 4), the weakened policies remain in place. A complete identity incident response requires reviewing and remediating every stage of the kill chain. EI15 covers compromised tenant response, and the IR course provides the full investigation methodology.

📋 Investigation Artifact — Identity Kill Chain Response Checklist

Use this checklist when responding to a confirmed identity compromise. Every stage must be checked, not just the initial access.

Identity Compromise Response Checklist

Stage 2 — Initial Access Remediation:

- Reset user password

- Revoke all sessions (Entra admin center → Users → Revoke sessions)

- Confirm MFA methods are legitimate (no attacker-registered methods)

- Review sign-in logs for the compromised account — identify initial access time and method

Stage 3 — Persistence Removal:

- Review and remove unauthorized inbox rules (Exchange Online)

- Review and revoke unauthorized OAuth application consent grants

- Review service principal credential additions in the audit log

- Check for new authentication methods registered to the account

- Review mail forwarding rules and delegates

Stage 4 — Privilege Escalation Reversal:

- Review directory role assignments — remove any unauthorized additions

- Review conditional access policy modifications since compromise time

- Review application permission changes since compromise time

- Check for new application registrations created by the compromised account

Stage 5 — Lateral Movement Assessment:

- Review OfficeActivity logs for file access outside normal scope

- Review mailbox access logs for access to other users' mailboxes

- Review SharePoint access logs for downloads from unusual sites

- Identify any additional accounts that may be compromised

Stage 6 — Impact Assessment:

- Quantify data accessed and downloaded

- Review sent email for BEC activity

- Check for data deletion or modification

- Determine regulatory notification requirements

Post-Incident:

- Identify which defensive control failed and remediate

- Deploy the missing controls from this course

- Update detection rules based on observed attack patterns

Compliance mapping: This checklist supports SOC 2 CC7.3 (Incident Response), ISO 27001 A.16.1 (Information Security Incident Management), and NIST CSF RS.AN (Analysis).

Decision point

You are reviewing NE's Entra ID security posture. You find 4 accounts with Global Administrator role, but NE's policy says maximum 2. The extra 2 were added during the AiTM incident for emergency response and never removed. Do you remove them?

Remove them — but through the proper process, not unilaterally. Notify the account owners that their emergency GA assignment is being revoked, confirm they have their standard role assignments restored, and document the removal with the rationale ('emergency assignment during INC-NE-2026-0227-001, no longer required'). Then add a PIR action item: 'Implement PIM time-limited role assignments for future incident response — emergency GA assignments auto-expire after 8 hours rather than persisting indefinitely.' The stale emergency assignment is a governance failure, not a technical failure — the fix is procedural.

NE's Entra ID security audit reveals: 4 Global Administrators (policy says 2), 23 users with Global Reader from a completed project, a break-glass account with no monitoring rule, and 3 guest accounts with no expiry date. Which finding is the highest priority?
The 4 Global Administrators — 2 extra GAs doubles the attack surface.
The break-glass account with no monitoring rule. The 4 GAs and stale Global Readers are governance issues that should be remediated — but they are existing conditions, not active threats. The unmonitored break-glass account is a critical detection gap: if the break-glass account is compromised or misused, the SOC has no alert. A break-glass account is excluded from CA policies by design — it is the most powerful and least restricted account in the tenant. Without monitoring, its compromise or misuse is invisible. Deploy the monitoring rule (any sign-in to the break-glass account = Severity 1 alert) before addressing the other findings.
The 23 stale Global Readers — this is the largest number of affected accounts.
The 3 guest accounts — external accounts without expiry are the highest risk.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

  • 17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
  • The Defense Design Method — the six-step framework applied to every identity control you'll build
  • EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
  • Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
  • Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain
Unlock the full course with Premium See Full Syllabus
← Previous Next →