At times SaaS Alerts events will be created with a username as the actor that does not conform to the typical convention of an email address or UPN. The username may appear in an event or Alert that resembles this format:
Type User Name Description Additional
f52e7a90-a789-4bb9-8415-0910a6c55248 (Example code)
IAM Event - Multiple Authentication Failures
Agent - Other / Method - Unknown / Activity - OAuth2:Token
Sample alert image
This occurs when an attacker is attempting to gain access to a Microsoft 365 Tenant Organization using a service principal name (SPN) rather than a user principal name (UPN).
The SaaS Alerts team has observed this behavior most often detected in an attempt to attack tenant domains using (or trying to guess) the SPN for exchange servers. Often the SPN will actually match the SPN for the “Microsoft Office Exchange Online” enterprise app that is resident for the customer organization in Active Directory.
The purpose of the attack is to gain access to an Exchange environment using known vulnerabilities related to legacy authentication protocols. The attack specifically allows the attacker to bypass MFA if they are successful.