Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Unusual data in "Alternate sign-in name" during auth

Copper Contributor

I have a question regarding the field "Alternate sign-in name" in AAD. Most of the time this field is null, but I have seen login attempts which were verified malicious and this field was populated with a different (valid) user than the one who is actually authenticating. Upon reviewing the alternate user's auth log there are no attempts made on it. It does not look like the attacker was targeting the secondary account, but not sure what would cause this artifact to show up and it is curious that I have only seen this on malicious auth attempts.  This field would normally be populated by other identifiers for the same user, yes? 

0 Replies