Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource

  1[metadata]
  2creation_date = "2025/12/17"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/01/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the first occurrence of an OAuth 2.0 authorization code grant flow for a specific combination of client
 11application, target resource, and user principal in Microsoft Entra ID. Developer tools like Azure CLI, Visual Studio
 12Code, and Azure PowerShell accessing Microsoft Graph or legacy Azure AD are flagged for infrequent or first time usage by a user.
 13Additionally, any FOCI (Family of Client IDs) application accessing the deprecated Windows Azure Active Directory for
 14the first time is flagged since this resource is rarely accessed legitimately. This pattern is indicative of OAuth
 15phishing attacks like ConsentFix, where attackers steal authorization codes and exchange them for tokens from attacker
 16controlled infrastructure.
 17"""
 18from = "now-9m"
 19index = ["filebeat-*", "logs-azure.signinlogs-*"]
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource"
 23note = """## Triage and analysis
 24
 25### Investigating Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
 26
 27This New Terms rule detects the first occurrence of an OAuth 2.0 authorization code grant flow for a specific combination of client application ID, target resource ID, and user principal within the last 14 days. When a user has never used a particular app+resource combination and it involves FOCI applications or legacy Azure AD, this may indicate OAuth phishing attacks like ConsentFix.
 28
 29The rule is particularly effective at catching attacks where adversaries use stolen OAuth codes with first-party apps to access resources the victim has never accessed before. For example, if a non-developer suddenly uses Azure CLI to access legacy AAD for the first time, this is highly suspicious regardless of other factors.
 30
 31### Possible investigation steps
 32
 33- Review `azure.signinlogs.properties.user_principal_name` to identify the affected user and determine if they are a developer who would legitimately use these tools.
 34- Check `azure.signinlogs.properties.app_display_name` to confirm which application was used. Azure CLI or PowerShell access by non-technical users is suspicious.
 35- Examine `azure.signinlogs.properties.resource_id` to identify the target resource. Legacy AAD (`00000002-0000-0000-c000-000000000000`) access is unusual for most users.
 36- Analyze `source.ip` and `source.geo.*` for geographic anomalies. ConsentFix attackers exchange codes from different IPs than the victim.
 37- Review `azure.signinlogs.properties.is_interactive` - if this is a non-interactive sign-in shortly after an interactive one from a different IP, it indicates token replay.
 38- Correlate with other sign-in events using `azure.signinlogs.properties.session_id` to identify the full OAuth flow sequence.
 39- Pivot to `azure.graphactivitylogs` to search for subsequent Graph API or AAD API activity from unusual locations.
 40- Check `azure.auditlogs` for device registration events around the same timeframe.
 41
 42### False positive analysis
 43
 44- Developers or IT administrators legitimately using Azure CLI, PowerShell, or VS Code for the first time to access specific resources.
 45- Users onboarding to new development environments or receiving new tooling.
 46- Automation scripts that run with user-delegated permissions for the first time.
 47- Consider the user's role and typical activity patterns when evaluating alerts.
 48
 49### Response and remediation
 50
 51- Contact the user to confirm if they initiated the OAuth flow and used the detected application.
 52- If unauthorized, immediately revoke all refresh tokens for the user via Microsoft Entra ID.
 53- Review recent activity from the same `session_id` for signs of data access or enumeration.
 54- Block the source IP if confirmed malicious.
 55- Implement Conditional Access policies to restrict OAuth flows for these applications to compliant devices.
 56- Educate users about OAuth phishing and the risks of pasting authorization codes.
 57"""
 58references = [
 59    "https://pushsecurity.com/blog/consentfix",
 60    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 61    "https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow",
 62    "https://github.com/secureworks/family-of-client-ids-research",
 63]
 64risk_score = 47
 65rule_id = "c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2"
 66severity = "medium"
 67tags = [
 68    "Domain: Cloud",
 69    "Domain: Identity",
 70    "Data Source: Azure",
 71    "Data Source: Microsoft Entra ID",
 72    "Data Source: Microsoft Entra ID Sign-in Logs",
 73    "Use Case: Identity and Access Audit",
 74    "Use Case: Threat Detection",
 75    "Tactic: Initial Access",
 76    "Tactic: Credential Access",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "new_terms"
 81
 82query = '''
 83event.dataset: "azure.signinlogs" and
 84    event.outcome: "success" and
 85    azure.signinlogs.properties.user_type: "Member" and
 86    (
 87        (
 88            azure.signinlogs.properties.app_id: (
 89                "04b07795-8ddb-461a-bbee-02f9e1bf7b46" or
 90                "aebc6443-996d-45c2-90f0-388ff96faa56" or
 91                "1950a258-227b-4e31-a9cf-717495945fc2"
 92            ) and
 93            azure.signinlogs.properties.resource_id: (
 94                "00000002-0000-0000-c000-000000000000" or
 95                "00000003-0000-0000-c000-000000000000"
 96            )
 97        ) or
 98        (
 99            azure.signinlogs.properties.app_id: (
100                "00b41c95-dab0-4487-9791-b9d2c32c80f2" or
101                "1fec8e78-bce4-4aaf-ab1b-5451cc387264" or
102                "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or
103                "27922004-5251-4030-b22d-91ecd9a37ea4" or
104                "4813382a-8fa7-425e-ab75-3b753aab3abb" or
105                "ab9b8c07-8f02-4f72-87fa-80105867a763" or
106                "872cd9fa-d31f-45e0-9eab-6e460a02d1f1" or
107                "af124e86-4e96-495a-b70a-90f90ab96707" or
108                "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8" or
109                "844cca35-0656-46ce-b636-13f48b0eecbd" or
110                "87749df4-7ccf-48f8-aa87-704bad0e0e16" or
111                "cf36b471-5b44-428c-9ce7-313bf84528de" or
112                "0ec893e0-5785-4de6-99da-4ed124e5296c" or
113                "22098786-6e16-43cc-a27d-191a01a1e3b5" or
114                "4e291c71-d680-4d0e-9640-0a3358e31177" or
115                "57336123-6e14-4acc-8dcf-287b6088aa28" or
116                "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0" or
117                "66375f6b-983f-4c2c-9701-d680650f588f" or
118                "a40d7d7d-59aa-447e-a655-679a4107e548" or
119                "a569458c-7f2b-45cb-bab9-b7dee514d112" or
120                "b26aadf8-566f-4478-926f-589f601d9c74" or
121                "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12" or
122                "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0" or
123                "e9c51622-460d-4d3d-952d-966a5b1da34c" or
124                "eb539595-3fe1-474e-9c1d-feb3625d1be5" or
125                "ecd6b820-32c2-49b6-98a6-444530e5a77a" or
126                "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d" or
127                "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34" or
128                "be1918be-3fe3-4be9-b32b-b542fc27f02e" or
129                "cab96880-db5b-4e15-90a7-f3f1d62ffe39" or
130                "d7b530a4-7680-4c23-a8bf-c52c121d2e87" or
131                "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3" or
132                "e9b154d0-7658-433b-bb25-6b8e0a8a7c59"
133            ) and
134            azure.signinlogs.properties.resource_id: "00000002-0000-0000-c000-000000000000"
135        )
136    )
137'''
138
139
140[[rule.threat]]
141framework = "MITRE ATT&CK"
142[[rule.threat.technique]]
143id = "T1078"
144name = "Valid Accounts"
145reference = "https://attack.mitre.org/techniques/T1078/"
146[[rule.threat.technique.subtechnique]]
147id = "T1078.004"
148name = "Cloud Accounts"
149reference = "https://attack.mitre.org/techniques/T1078/004/"
150
151
152[[rule.threat.technique]]
153id = "T1566"
154name = "Phishing"
155reference = "https://attack.mitre.org/techniques/T1566/"
156[[rule.threat.technique.subtechnique]]
157id = "T1566.002"
158name = "Spearphishing Link"
159reference = "https://attack.mitre.org/techniques/T1566/002/"
160
161
162
163[rule.threat.tactic]
164id = "TA0001"
165name = "Initial Access"
166reference = "https://attack.mitre.org/tactics/TA0001/"
167[[rule.threat]]
168framework = "MITRE ATT&CK"
169[[rule.threat.technique]]
170id = "T1528"
171name = "Steal Application Access Token"
172reference = "https://attack.mitre.org/techniques/T1528/"
173
174
175[rule.threat.tactic]
176id = "TA0006"
177name = "Credential Access"
178reference = "https://attack.mitre.org/tactics/TA0006/"
179
180[rule.investigation_fields]
181field_names = [
182    "@timestamp",
183    "azure.signinlogs.properties.user_principal_name",
184    "azure.signinlogs.properties.app_id",
185    "azure.signinlogs.properties.app_display_name",
186    "azure.signinlogs.properties.resource_id",
187    "azure.signinlogs.properties.resource_display_name",
188    "azure.signinlogs.properties.is_interactive",
189    "azure.signinlogs.properties.session_id",
190    "azure.signinlogs.properties.incoming_token_type",
191    "source.ip",
192    "source.geo.country_name",
193    "source.geo.city_name",
194    "user_agent.original",
195]
196
197[rule.new_terms]
198field = "new_terms_fields"
199value = [
200    "azure.signinlogs.properties.user_principal_name",
201    "azure.signinlogs.properties.app_id",
202    "azure.signinlogs.properties.resource_id",
203]
204[[rule.new_terms.history_window_start]]
205field = "history_window_start"
206value = "now-7d"