VaultFuzionVaultFuzionBY KAPARDYN
Entra ID07 May 2026 · 5 min read

Detecting impossible travel and token replay: beyond the Microsoft Defender baseline

Defender's identity protection covers the basics. The advanced patterns — token replay, brute-force-at-scale, federated-domain spoofing — need a layer above.

— VaultFuzion Identity Engineering

Microsoft Entra ID Identity Protection bundles a strong baseline of identity-risk detections — impossible travel, atypical travel, anonymous IP, malware-linked IP, leaked credentials. For most tenants, the baseline is genuinely sufficient. For tenants in regulated industries, holding sensitive data, or operating with elevated targeting risk, the baseline leaves a measurable gap.

The Mandiant M-Trends 2026 report puts median internal dwell time at nine days (Mandiant, 2026). Nine days is a long time for a competent attacker to operate with valid session cookies before the baseline detections fire. The supplementary detector classes are aimed at closing that window.

Token replay — adversary-in-the-middle harvests session tokens

Token replay happens when a session cookie issued to a legitimate user is captured (typically via AiTM phishing) and reused by an attacker on different infrastructure. The cookie itself is valid; the use is not. Detection requires comparing the device-fingerprint, IP-ASN, and behavioural-pattern of the cookie's use against the issuing context.

Microsoft Entra detects some token-replay scenarios via its "anomalous token" classifier but the coverage is incomplete — particularly for tokens replayed soon after issue and from infrastructure with overlap in geography. Supplementary detectors apply tighter constraints: cookie age in minutes, device-fingerprint exact match, ASN match within one Autonomous System.

Impossible travel — geo-velocity-based detection

Impossible travel detection compares two consecutive sign-ins for a user and computes the implied travel velocity. Sign-ins from Cape Town and Frankfurt within an hour imply a velocity that exceeds commercial flight speed — the second sign-in is by definition compromised. The Entra baseline implements this with reasonable defaults.

The supplementary layer tightens two parameters. First, time window — the baseline uses an hour; high-sensitivity tenants benefit from a 30-minute or 15-minute window. Second, location precision — baseline IP-geolocation has a country-level resolution that misses intra-country impossible travel; supplementary detectors use city-level resolution where the IP-geolocation database supports it.

The 22-second context

Mandiant's 22-second median human-to-AI handoff time (Mandiant, 2026) means an attacker can move from initial credential theft to active reconnaissance faster than a tightened impossible-travel detector can fire. The detector still matters — it catches the second action, not the first.

Cross-tenant correlation for fleet-wide threats

A single tenant's identity-risk signals are isolated. An MSP managing fifty tenants sees fifty isolated signal streams. The signals become more useful when correlated across tenants. A password-spray attack that hits five tenants in the same MSP's fleet within thirty minutes is a fleet-wide threat — even if the individual per-tenant counts stay below each tenant's sensitivity threshold.

Cross-tenant correlation requires careful POPIA scoping. Each tenant's personal information stays within its own tenant boundary; only aggregate signal metadata (IP, user-agent, sign-in pattern, but not user identity) crosses the boundary. The privacy posture has to be auditable and tenant-configurable — opt-in by default, with the audit chain recording every cross-tenant correlation event.

Eleven detectors operating on a four-hour cadence

A practical supplementary detector stack covers eleven classes: impossible travel (tightened), atypical travel (tightened), token replay (device-fingerprint), brute force (multi-account), credential spraying (multi-tenant), mass deletion of users or roles, federated-domain spoofing, anonymous service-principal creation, conditional-access bypass attempts, MFA fatigue patterns, and authentication-method policy changes outside change windows.

Each detector runs on a snapshot cadence — typically four hours, matching the broader RPO baseline for identity backup. A real-time stream would catch faster but cost more in licensing and infrastructure; the four-hour cadence is the cost-effectiveness sweet spot for tenants below 10,000 seats.

POPIA Section 19 implications

POPIA Section 19 expects "appropriate, reasonable technical and organisational measures" (Republic of South Africa, 2013). For tenants holding sensitive personal information — banking, health, employment records — the supplementary detector classes are increasingly part of what regulator guidance treats as appropriate. A tenant operating only at the Microsoft Entra baseline may pass a regulator review on a low-sensitivity profile but will struggle on a high-sensitivity one.

References

Mandiant (2026) M-Trends 2026 Report. Google Cloud / Mandiant. Available at: https://cloud.google.com/security/resources/m-trends (Accessed: 8 May 2026).

Microsoft (2024) Microsoft Entra ID Protection. Microsoft Learn. Available at: https://learn.microsoft.com/entra/id-protection (Accessed: 8 May 2026).

Republic of South Africa (2013) Protection of Personal Information Act, No. 4 of 2013. Government Gazette of the Republic of South Africa.

See what's shipping

Each article is paired with a release. For what's currently live, release notes. For what's in the pipeline, coming next.