Skip to content

Hide Navigation Hide TOC

Potential Azure Browser SSO Abuse (50f852e6-af22-4c78-9ede-42ef36aa3453)

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Azure Browser SSO Abuse (50f852e6-af22-4c78-9ede-42ef36aa3453) Sigma-Rules DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 1
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2