Forum Discussion
Token replay question
I had a case of a user being phished and their token being used in a replay attack. The replay appeared in the sign in logs from a different IP address to the "true" users IP. I then saw activity on the account originating from the original IP until we killed the session a few hours later.
I had someone suggest that in a token replay the M365 audit\activity logs and Entra ID signing logs will show the original persons IP, not the attackers.
Can anyone confirm this?
2 Replies
I haven't tested this recently, but this was indeed the case back when I last played with this. It's embedded as part of the access token ("ipaddr" claim).
Ok so the initial authentication the user is tricked into performing shows the attackers IP?
