Microsoft Entra bound-to-unbound sign-in with ASN change
Description
AlphaSOC detected a Microsoft Entra sign-in where the ASN of the connection changed between a bound (compliant or managed device) authentication and an unbound (unmanaged) token usage. This pattern is a strong indicator of token theft: an attacker extracts a valid session token from a compromised device and replays it from a different network location, bypassing device compliance checks while retaining the original session's access.
Impact
If a stolen token is successfully replayed from an unbound context, an attacker gains full access to the victim's Entra session and connected applications without needing to complete authentication again. This bypasses MFA, conditional access policies, and device compliance requirements. Depending on the user's role, the attacker may access email, files, and sensitive business applications, or use the session to move laterally within the organization's cloud environment.
Severity
| Severity | Condition |
|---|---|
Medium | ASN change detected between bound and unbound Entra sign-ins |
Investigation and Remediation
Review the Entra sign-in logs for the affected user and compare the device compliance state and ASN across recent authentication events. Verify with the user whether they changed networks or devices. If the change appears unauthorized, revoke all active sessions for the user, reset credentials, and enforce conditional access policies requiring compliant devices. Investigate the originating device for signs of token theft tooling or malware.