Entra ID OAuth Device Code Phishing via AiTM

  1[metadata]
  2creation_date = "2026/05/15"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/05/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects successful Microsoft Entra ID sign-ins that use the OAuth device code authentication protocol with the
 11Microsoft Authentication Broker client requesting first-party Office API resources (Exchange Online, Microsoft Graph,
 12or SharePoint) while flagged as interactive. This pattern is associated with adversary-in-the-middle (AiTM) phishing kits
 13such as Tycoon 2FA, where victims complete device code flows that ultimately broker tokens for mail and collaboration
 14APIs.
 15"""
 16false_positives = [
 17    """
 18    Rare legitimate interactive device code flows that use the Microsoft Authentication Broker against Exchange, Graph,
 19    or Yammer may match, for example during troubleshooting or specialized kiosk setups. Document approved scenarios and
 20    exclude known principals or networks.
 21    """,
 22]
 23from = "now-9m"
 24index = ["logs-azure.signinlogs-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Entra ID OAuth Device Code Phishing via AiTM"
 28note = """## Triage and analysis
 29
 30### Investigating Entra ID OAuth Device Code Phishing via AiTM
 31
 32Review `azure.signinlogs.properties.user_principal_name`, `azure.signinlogs.properties.session_id`, `source.ip`,
 33`user_agent.original`, and `azure.signinlogs.properties.resource_display_name` for context around the device code
 34completion.
 35
 36Confirm whether the user knowingly entered a device code (for example on a shared or headless device) and whether
 37broker-mediated access to Exchange, Graph, or Yammer is expected for that account.
 38
 39### Possible investigation steps
 40
 41- Interview the user about recent links, QR codes, or prompts to approve a device code.
 42- Correlate with `azure.signinlogs` and Microsoft 365 audit logs for mailbox, Teams, or file access from the same
 43  session or IP shortly after the event.
 44- Review conditional access and MFA satisfaction details for the same `session_id`.
 45
 46### Response and remediation
 47
 48- If malicious, revoke refresh tokens for the user, reset credentials per policy, and review application consent.
 49- Block or monitor the source IP and escalate per incident procedures.
 50"""
 51references = [
 52    "https://any.run/malware-trends/tycoon/",
 53    "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-authentication-flows",
 54    "https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/",
 55]
 56risk_score = 73
 57rule_id = "e5420ced-bc42-4783-a8df-99320567e090"
 58severity = "high"
 59tags = [
 60    "Domain: Cloud",
 61    "Domain: Identity",
 62    "Data Source: Azure",
 63    "Data Source: Microsoft Entra ID",
 64    "Data Source: Microsoft Entra ID Sign-in Logs",
 65    "Use Case: Threat Detection",
 66    "Threat: Tycoon2FA",
 67    "Tactic: Initial Access",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "query"
 72query = '''
 73data_stream.dataset:"azure.signinlogs" and event.category:"authentication" and event.action:"Sign-in activity" and
 74event.outcome:success and azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
 75azure.signinlogs.properties.authentication_protocol:deviceCode and
 76azure.signinlogs.properties.resource_id:(
 77    "00000002-0000-0ff1-ce00-000000000000" or
 78    "00000003-0000-0ff1-ce00-000000000000" or
 79    "00000005-0000-0ff1-ce00-000000000000"
 80) and azure.signinlogs.properties.is_interactive:true
 81'''
 82
 83[rule.investigation_fields]
 84field_names = [
 85    "@timestamp",
 86    "user.name",
 87    "user_agent.original",
 88    "source.ip",
 89    "source.geo.country_name",
 90    "event.outcome",
 91    "azure.signinlogs.properties.user_principal_name",
 92    "azure.signinlogs.properties.session_id",
 93    "azure.signinlogs.properties.app_id",
 94    "azure.signinlogs.properties.app_display_name",
 95    "azure.signinlogs.properties.resource_id",
 96    "azure.signinlogs.properties.resource_display_name",
 97    "azure.signinlogs.properties.authentication_protocol",
 98    "azure.signinlogs.properties.is_interactive",
 99    "azure.tenant_id",
100]
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1566"
107name = "Phishing"
108reference = "https://attack.mitre.org/techniques/T1566/"
109[[rule.threat.technique.subtechnique]]
110id = "T1566.002"
111name = "Spearphishing Link"
112reference = "https://attack.mitre.org/techniques/T1566/002/"
113
114[[rule.threat.technique]]
115id = "T1078"
116name = "Valid Accounts"
117reference = "https://attack.mitre.org/techniques/T1078/"
118[[rule.threat.technique.subtechnique]]
119id = "T1078.004"
120name = "Cloud Accounts"
121reference = "https://attack.mitre.org/techniques/T1078/004/"
122
123[rule.threat.tactic]
124id = "TA0001"
125name = "Initial Access"
126reference = "https://attack.mitre.org/tactics/TA0001/"
127
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130
131[[rule.threat.technique]]
132id = "T1550"
133name = "Use Alternate Authentication Material"
134reference = "https://attack.mitre.org/techniques/T1550/"
135
136[[rule.threat.technique.subtechnique]]
137id = "T1550.001"
138name = "Application Access Token"
139reference = "https://attack.mitre.org/techniques/T1550/001/"
140
141[rule.threat.tactic]
142id = "TA0005"
143name = "Defense Evasion"
144reference = "https://attack.mitre.org/tactics/TA0005/"