if you operate Sentinel, and are licensed for Entra P2 or M365 E5, you may have experienced a lack of visibility during token theft events. To reduce noise, Defender XDR auto remediates any incident when an MFA claim is present in the token. The system is not yet smart enough to differentiate between a stolen token and a valid MFA claim, so the work-around is to create a new analytic rule to raise an alert for any elevated user risk, by excluding events flagged as 'remediated.' The following KQL is designed for an analytic rule so that the analyst can see recent sign-ins that caused the user risk to elevate. Feedback and questions encouraged! let a=( AADRiskyUsers | where RiskLevel in ('medium','high') and RiskDetail !in('adminConfirmedUserCompromised','adminConfirmedSigninCompromised') | distinct tolower(UserPrincipalName)); SigninLogs | where tolower(UserPrincipalName) in (a) | where RiskLevelDuringSignIn != 'none' and RiskState != 'remediated'

This is a super hot attack vector right now and probably a ton of orgs aren't working these alerts at all, or maybe just incorrectly. Don't trust `riskState: remediated` !!

NEW BLOG: AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition) After the successful 2023 and 2024 edition, created the blog based on the latest protections and innovations against AiTM attacks #MicrosoftSecurity