Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates is using a user agent that is not consistent with common browser, mobile, or Windows platform authentication clients. Adversary-in-the-middle and OAuth phishing tooling often presents scripted or relayed user agents (for example Node.js, Python, or generic HTTP libraries) while still targeting first-party resources through the broker.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/05/27"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2026/05/27"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker authenticates is using a user agent
11that is not consistent with common browser, mobile, or Windows platform authentication clients. Adversary-in-the-middle and OAuth phishing
12tooling often presents scripted or relayed user agents (for example Node.js, Python, or generic HTTP libraries) while
13still targeting first-party resources through the broker.
14"""
15false_positives = [
16 """
17 Legitimate automation, SDKs, or custom applications that obtain tokens through the Microsoft Authentication Broker
18 against Graph, Azure AD, or Device Registration Service may use non-browser user agents. Baseline approved
19 service principals, managed identities, and developer tooling before tuning exclusions for known automation
20 patterns.
21 """,
22]
23from = "now-9m"
24index = ["logs-azure.signinlogs-*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent"
28note = """## Triage and analysis
29
30### Investigating Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
31
32Review `azure.signinlogs.properties.user_principal_name`, `user_agent.original`,
33`azure.signinlogs.properties.resource_display_name`, `azure.signinlogs.properties.session_id`, `source.ip`, and
34`source.as.organization.name`.
35
36Confirm whether the user or application intentionally used a non-browser client against the requested resource.
37
38### Possible investigation steps
39
40- Inspect `user_agent.original` for automation libraries (for example `node`, `axios`, `python-requests`, `curl`).
41- Correlate `azure.signinlogs.properties.session_id` with other sign-ins, device registration audit events, or Graph
42 activity in the same time window.
43- Review conditional access outcomes and identity protection signals for the user.
44- Compare `source.ip` and ASN against expected VPN, MDM, and developer egress.
45
46### False positive analysis
47
48- Microsoft platform and mobile clients using Mozilla-, Dalvik-, CFNetwork-, or Windows-AzureAD-Authentication-Provider-
49 style user agents are excluded by design.
50- First-party CLI tools and test harnesses that legitimately broker tokens may still match if they use uncommon user
51 agent strings.
52
53### Response and remediation
54
55- If malicious, revoke refresh tokens for the user, review newly registered devices, and reset credentials per policy.
56- Escalate when paired with suspicious ASN sign-ins, multi-IP OAuth flows, or follow-on Graph data access.
57"""
58references = [
59 "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
60 "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",
61 "https://any.run/malware-trends/tycoon/",
62]
63risk_score = 73
64rule_id = "c22f89d9-b674-4650-8454-02242c8b35eb"
65severity = "high"
66setup = """
67Microsoft Entra ID sign-in logs (`logs-azure.signinlogs-*`) must populate `user_agent.original`,
68`azure.signinlogs.properties.app_display_name`, and `azure.signinlogs.properties.resource_display_name`.
69"""
70tags = [
71 "Domain: Cloud",
72 "Domain: Identity",
73 "Data Source: Azure",
74 "Data Source: Microsoft Entra ID",
75 "Data Source: Microsoft Entra ID Sign-In Logs",
76 "Use Case: Threat Detection",
77 "Tactic: Initial Access",
78 "Tactic: Credential Access",
79 "Resources: Investigation Guide",
80]
81timestamp_override = "event.ingested"
82type = "query"
83
84query = '''
85data_stream.dataset:"azure.signinlogs" and event.action:"Sign-in activity" and event.outcome:(success or Success) and
86(azure.signinlogs.properties.app_display_name:"Microsoft Authentication Broker" or azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e") and
87user_agent.original:(* and not (Mozilla* or Dalvik* or *CFNetwork* or Windows-AzureAD-Authentication-Provider* or Java*ThinkPad*)) and
88azure.signinlogs.properties.resource_display_name:*
89'''
90
91[rule.investigation_fields]
92field_names = [
93 "@timestamp",
94 "user.name",
95 "user_agent.original",
96 "source.ip",
97 "source.as.number",
98 "source.as.organization.name",
99 "source.geo.country_name",
100 "event.outcome",
101 "azure.signinlogs.properties.user_principal_name",
102 "azure.signinlogs.properties.session_id",
103 "azure.signinlogs.properties.app_display_name",
104 "azure.signinlogs.properties.app_id",
105 "azure.signinlogs.properties.resource_display_name",
106 "azure.signinlogs.properties.resource_id",
107 "azure.signinlogs.properties.authentication_protocol",
108 "azure.tenant_id",
109]
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113
114[[rule.threat.technique]]
115id = "T1566"
116name = "Phishing"
117reference = "https://attack.mitre.org/techniques/T1566/"
118
119[[rule.threat.technique.subtechnique]]
120id = "T1566.002"
121name = "Spearphishing Link"
122reference = "https://attack.mitre.org/techniques/T1566/002/"
123
124[rule.threat.tactic]
125id = "TA0001"
126name = "Initial Access"
127reference = "https://attack.mitre.org/tactics/TA0001/"
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131
132[[rule.threat.technique]]
133id = "T1078"
134name = "Valid Accounts"
135reference = "https://attack.mitre.org/techniques/T1078/"
136
137[[rule.threat.technique.subtechnique]]
138id = "T1078.004"
139name = "Cloud Accounts"
140reference = "https://attack.mitre.org/techniques/T1078/004/"
141
142[rule.threat.tactic]
143id = "TA0005"
144name = "Defense Evasion"
145reference = "https://attack.mitre.org/tactics/TA0005/"
146
147[[rule.threat]]
148framework = "MITRE ATT&CK"
149
150[[rule.threat.technique]]
151id = "T1539"
152name = "Steal Web Session Cookie"
153reference = "https://attack.mitre.org/techniques/T1539/"
154
155[rule.threat.tactic]
156id = "TA0006"
157name = "Credential Access"
158reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Investigating Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
Review azure.signinlogs.properties.user_principal_name, user_agent.original,
azure.signinlogs.properties.resource_display_name, azure.signinlogs.properties.session_id, source.ip, and
source.as.organization.name.
Confirm whether the user or application intentionally used a non-browser client against the requested resource.
Possible investigation steps
- Inspect
user_agent.originalfor automation libraries (for examplenode,axios,python-requests,curl). - Correlate
azure.signinlogs.properties.session_idwith other sign-ins, device registration audit events, or Graph activity in the same time window. - Review conditional access outcomes and identity protection signals for the user.
- Compare
source.ipand ASN against expected VPN, MDM, and developer egress.
False positive analysis
- Microsoft platform and mobile clients using Mozilla-, Dalvik-, CFNetwork-, or Windows-AzureAD-Authentication-Provider- style user agents are excluded by design.
- First-party CLI tools and test harnesses that legitimately broker tokens may still match if they use uncommon user agent strings.
Response and remediation
- If malicious, revoke refresh tokens for the user, review newly registered devices, and reset credentials per policy.
- Escalate when paired with suspicious ASN sign-ins, multi-IP OAuth flows, or follow-on Graph data access.
References
-
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...
Read More -
In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID connected application and web site. In phishing scenarios, especially those that abuse legit OAuth flows such as device code phishing, the resulting tokens are often less powerful tokens that are limited in scope or usage methods. In this blog, I will describe new techniques to phish directly for Primary Refresh Tokens, and in some scenarios also deploy passwordless credentials that comply with even the strictest MFA policies.
Read More -
Tycoon 2FA is a phishing-as-a-service kit used for stealing credentials and equipped with advanced evasion capabilities.
Read More
Related rules
- Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
- Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
- Entra ID Kali365 Default User-Agent Detected
- Entra ID OAuth User Impersonation to Microsoft Graph
- Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)