Skip to content
.ca
sign in
5 minmedium

The "Success" Illusion: How Cross-Tenant ROPC Can Gaslight Your SOC and Poison Data

A nuance in the Entra ID Resource Owner Password Credentials (ROPC) protocol allows attackers with compromised credentials to authenticate against a permissive external tenant, generating a 'Sign-in: Success' log in the victim's home tenant. While this cross-tenant authentication does not grant access to the victim's data, it effectively poisons UEBA models and floods the SOC with false positive alerts, creating significant operational disruption and compromising log integrity.

Conf:highAnalyzed:2026-05-01reports

Authors: Varonis Threat Labs

ROPCSOC EvasionLog PoisoningAzure ADEntra ID

Source:Varonis

What Happened

Security researchers discovered a trick in Microsoft's cloud systems that lets attackers create fake 'successful login' records. This affects organizations using Microsoft Entra ID (formerly Azure AD) for managing user accounts. While the attackers do not actually get access to company data, these fake logs confuse security monitoring tools and waste the time of security teams who have to investigate them. Organizations should focus on monitoring actual data access rather than just relying on login records to spot real threats.

Key Takeaways

  • Attackers can exploit a nuance in the cross-tenant ROPC protocol to generate fake 'successful' sign-in logs in an organization's Entra ID environment.
  • This technique bypasses the home tenant's Conditional Access policies for logging purposes, though it does not actually grant access to the home tenant's data.
  • The primary threat is operational: flooding the SIEM with false positives acts as a Denial-of-Service (DoS) against SOC analysts and burns security budgets.
  • These ghost logins can poison UEBA and Machine Learning models by skewing baselines with impossible travel or anomalous login data.
  • Microsoft assessed the issue as low severity due to the lack of data access, but it poses significant compliance and log integrity challenges.

Affected Systems

  • Microsoft Entra ID (Azure AD)
  • SIEM Platforms
  • UEBA (User and Entity Behavior Analytics) Models

Attack Chain

An attacker obtains valid credentials for a user in the target organization (Tenant A). Instead of authenticating directly to Tenant A where MFA and Conditional Access are enforced, the attacker authenticates against a different, permissive tenant (Tenant B) using the ROPC protocol. Tenant A verifies the password and logs a successful sign-in event, while Tenant B processes the conditional access policies. Because Tenant B lacks restrictions for the user, the authentication succeeds, generating a false positive log in Tenant A's SIEM without granting access to Tenant A's resources.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but advises focusing on data access events rather than solely relying on authentication logs.

Detection Engineering Assessment

EDR Visibility: None — This is a cloud identity and authentication protocol issue that does not involve endpoint execution. Network Visibility: None — The authentication traffic occurs directly between the attacker and Microsoft Entra ID APIs, bypassing corporate networks. Detection Difficulty: Hard — The logs explicitly state 'Success' and appear legitimate to standard SIEM parsers. Distinguishing these ghost logins from real ones requires cross-referencing tenant IDs and correlating with actual data access logs.

Required Log Sources

  • Entra ID Sign-in Logs
  • Entra ID Audit Logs
  • Cloud Application Security Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for successful sign-in events where the Resource Tenant ID does not match the Home Tenant ID, especially if the Cross tenant access type is 'Passthrough'.Entra ID Sign-in LogsDefense EvasionMedium (Legitimate cross-tenant collaboration might trigger this, requiring filtering for known partner tenants).
Identify users with a high volume of successful authentications from anomalous geolocations that have zero corresponding resource access or data interaction logs.Entra ID Sign-in Logs and Cloud App Security LogsDefense EvasionLow (Users typically interact with resources immediately after authenticating).

Control Gaps

  • SIEM alerting rules based solely on authentication success status
  • UEBA models lacking cross-tenant context and validation

Key Behavioral Indicators

  • Mismatched Home and Resource Tenant IDs in sign-in logs
  • Cross tenant access type set to 'Passthrough'
  • High volume of successful logins without corresponding resource access

False Positive Assessment

  • High

Recommendations

Immediate Mitigation

  • Review SIEM and UEBA alerting rules to ensure they do not trigger critical incidents solely on 'Success' status without verifying the Resource Tenant ID or subsequent data access.

Infrastructure Hardening

  • Implement a data-centric security strategy that monitors actual resource and data access rather than relying exclusively on authentication events.
  • Review and restrict cross-tenant access settings in Entra ID if external collaboration is not required.

User Protection

  • Continue enforcing MFA and Conditional Access policies, as they successfully prevent actual data access in this scenario.

Security Awareness

  • Educate SOC analysts on this ROPC cross-tenant behavior to prevent wasted investigation time on ghost logins.

MITRE ATT&CK Mapping

  • T1078.004 - Valid Accounts: Cloud Accounts
  • T1562 - Impair Defenses

Related