Skip to content

Microsoft-Analyzer-Suite v1.6.0

Choose a tag to compare

View all tags
@evild3ad evild3ad released this 24 Jul 05:18
· 13 commits to main since this release
v1.6.0
84fed45

[1.6.0] - 2025-07-24

Added

  • EntraSignInLogs-Analyzer: UniqueTokenIdentifier
  • EntraSignInLogs-Analyzer: IncomingTokenType
  • EntraSignInLogs-Analyzer: SignInTokenProtectionStatus
  • EntraSignInLogs-Analyzer: SignInTokenProtectionStatus (Stats)
  • EntraSignInLogs-Analyzer: Suspicious Sign-Ins via Visual Studio Code
  • EntraSignInLogs-Analyzer: Suspicious ADRS Token Request(s) by Microsoft Authentication Broker
  • EntraAuditLogs-Analyzer: Suspicious Cloud Device Registration
  • UAL-Analyzer: ActorInfoString
  • UAL-Analyzer: ActorInfoString (Stats)
  • Config.ps1 → Config.json

01
Fig 1: OAuth Phishing via Visual Studio Code Client (Emulation)

02
Fig 2: Visual Studio Code Phishing (Abusing Legitimate Microsoft Workflow)

03
Fig 3: Suspicious Sign-Ins via Visual Studio Code Client found

04
Fig 4: EntraSignInLogs-Analyzer (1)

05
Fig 5: EntraSignInLogs-Analyzer (2)

06
Fig 6: Suspicious Cloud Device Registration detected [T1098.005]

Fixed

  • Minor fixes and improvements

References
https://www.elastic.co/security-labs/entra-id-oauth-phishing-detection
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/

Assets 3
Loading