Microsoft Entra token replay with ASN mismatch
Description
AlphaSOC detected a Microsoft Entra token being used from an ASN that differs from the one where the token was originally issued. This is a strong indicator of token replay: an attacker who steals a valid session token uses it from a different network location. Microsoft Entra evaluates token binding and continuous access evaluation signals, but ASN mismatches can still occur when stolen tokens are replayed from attacker-controlled infrastructure.
Impact
A successful token replay from a different ASN grants the attacker full access to the victim's Entra session and associated Microsoft 365 resources. The attacker can access email, files, Teams, and administrative interfaces without completing authentication or MFA. Since the token is valid, this access may appear legitimate in audit logs unless correlated with the originating ASN change, making investigation more complex.
Severity
| Severity | Condition |
|---|---|
Medium | Entra token used from an ASN different from its origin |
Investigation and Remediation
Review Entra sign-in logs and correlate the token issuance event with the replay event to confirm the ASN mismatch. Identify the originating device and assess whether it may have been compromised. Immediately revoke all active sessions for the affected user and reset credentials. Review the applications accessed during the suspicious session. Enable Continuous Access Evaluation and sign-in risk policies to reduce token replay risk, and consider enforcing token binding where supported.