Adaptive Defense: How Cloud App Policies Can Block Malicious User Agents

Overview: Microsoft 365 Apps

Many organizations seek to block malicious user agents and prevent scripted or unauthorized programmatic access to Microsoft 365. Adversary-in-the-Middle (AiTM) attacks are on the rise, allowing attackers to intercept and forward authentication traffic in real time, even circumventing multi-factor authentication (MFA). A significant development is the adoption of malicious user agents, such as Axios, a JavaScript-based HTTP client, which attackers use to replicate browser activity and take over user sessions.

With these tools, attackers can:

• Automate the collection of credentials and replay of sessions
• Bypass basic browser fingerprinting techniques
• Launch large-scale attacks with minimal manual effort

Although detection strategies like monitoring user-agent strings or identifying unusual geolocation patterns are available, there is a lack of comprehensive guidance on countering these specific threats. Conventional security measures often fail to detect axios-driven requests that closely resemble genuine user actions.

As a result, organizations are exposed to risks including:

• Session hijacking, even when MFA is enabled
• Challenges in distinguishing automated agents from real users
• Ongoing unauthorized access after initial authentication

This blog underscores the urgent need to block malicious user agents through adaptive session policies and advanced behavior-based security in Microsoft 365

Prerequisites

Requirement	Description
Microsoft 365 E5 License	Required for Conditional Access App Control and MDCA session control
Microsoft Defender for Cloud Apps	Must be enabled
Admin Permissions	You must be an Admin or Security Admin in Entra ID (Azure AD)
Pilot Group	Recommended to test with a small group before full deployment

Step-by-Step Configuration

Enable Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps (MDCA) is a security tool that provides visibility and control over user sessions in SaaS applications. It acts as a reverse proxy when Conditional Access routes a user’s traffic through it

1. Go to Microsoft 365 Defender Portal
2. Navigate to:
   Settings → Microsoft Defender for Cloud Apps → Connected Apps → Conditional Access App Control apps
3. Ensure Microsoft 365 apps are listed as below. If not, follow below 3.2 steps, to proceed to create conditional access policy for routing the requests to Cloud Apps

Create Conditional Access for Route Traffic to MDCA

Conditional Access App Control sends the session through the MDCA proxy where session inspection happens. This is the foundation for blocking based on the User-Agent string.

Go to Azure Portal → Microsoft Entra ID → Conditional Access

Click + New Policy

Configure the following settings:

Save and apply the policy.

Trigger MDCA Session Routing (App Detection)

After the CA policy is active, the user must log into the app (e.g., Outlook) to trigger MDCA to detect and begin monitoring the app.

1. Open a private/incognito browser window.
2. Visit Outlook or Teams.
3. Log in with a test account.
4. Wait 1–2 minutes.
5. Go to: Cloud Apps → Settings → Connected Apps → Conditional Access App Control apps
6. Confirm apps like Office 365, Teams, or Exchange appear as Monitored

Note: If not detected, recheck your Conditional Access policy and retry in incognito mode.

Create MDCA Session Policy to Block Axios

This policy inspects live sessions and blocks any that match certain criteria — in this case, when the User-Agent string contains “axios”.

1. In MDCA Portal → Control → Access policies → + Create policy

1. Configure the following settings:

Click Create

This will block any Axios-based request to Office 365 apps.

Blocking malicious user agents is just one layer of a broader adaptive defense strategy. As attackers evolve, organizations must go beyond detection and adopt real-time controls that secure sessions, user identities, and cloud interactions.

Learn how to take your security strategy further with SecurityHQ’s Adaptive Defense Solutions, built to identify, contain, and respond to threats at every stage of the attack lifecycle.