Entra ID OAuth Phishing via First-Party Microsoft Application

  1[metadata]
  2creation_date = "2025/04/23"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/01/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects potentially suspicious OAuth authorization activity in Microsoft Entra ID where first-party Microsoft
 11applications from the FOCI (Family of Client IDs) group request access to Microsoft Graph or legacy Azure AD resources.
 12Developer tools like Azure CLI, Visual Studio Code, and Azure PowerShell accessing these resources are flagged, as they
 13are commonly abused in phishing campaigns like ConsentFix. Additionally, any FOCI family application accessing the
 14deprecated Windows Azure Active Directory resource is flagged since this API is rarely used legitimately and attackers
 15target it for stealth. First-party apps are trusted by default in all tenants and cannot be blocked, making them ideal
 16for OAuth phishing attacks.
 17"""
 18from = "now-9m"
 19index = ["filebeat-*", "logs-azure.signinlogs-*"]
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "Entra ID OAuth Phishing via First-Party Microsoft Application"
 23note = """## Triage and analysis
 24
 25### Investigating Entra ID OAuth Phishing via First-Party Microsoft Application
 26
 27This rule detects OAuth authorization activity where FOCI (Family of Client IDs) applications access Microsoft Graph or legacy Azure AD resources. Adversaries exploit these trusted first-party apps in phishing campaigns like ConsentFix to steal authorization codes and exchange them for tokens from attacker infrastructure. Because first-party apps are pre-consented and cannot be blocked, attackers use them to bypass consent prompts and access user data without triggering typical OAuth alerts.
 28
 29The rule uses split detection logic: developer tools (Azure CLI, VSCode, PowerShell) accessing either Graph or legacy AAD are flagged, while any FOCI app accessing legacy AAD is flagged since this deprecated API is rarely used legitimately and attackers target it for stealth.
 30
 31### Possible investigation steps
 32
 33- Review `azure.signinlogs.properties.user_principal_name` to identify the affected user and determine if they are a high-value target (privileged roles, executives, IT admins).
 34- Analyze `source.ip` and `source.geo.*` for geographic anomalies. ConsentFix attackers exchange codes from different IPs than the victim's location.
 35- Check `azure.signinlogs.properties.app_display_name` to confirm which first-party application was used. Azure CLI or PowerShell access by non-developers is suspicious.
 36- Examine `azure.signinlogs.properties.resource_id` to identify the target resource. Legacy AAD (`00000002-0000-0000-c000-000000000000`) access is unusual for most users.
 37- Review `azure.signinlogs.properties.is_interactive` - non-interactive sign-ins shortly after interactive ones from different IPs indicate token replay.
 38- Correlate with other sign-in events using `azure.signinlogs.properties.session_id` to identify the full OAuth flow sequence.
 39- Pivot to `azure.graphactivitylogs` to search for subsequent Graph API activity from the same session or user from unusual locations.
 40- Check `azure.auditlogs` for device registration events around the same timeframe, which may indicate persistence attempts.
 41
 42### False positive analysis
 43
 44- Developers or IT administrators legitimately using Azure CLI, PowerShell, or VS Code to access Microsoft Graph or Azure AD.
 45- Enterprise automation or CI/CD pipelines using these tools with user-delegated permissions.
 46- Users working from multiple locations (VPN, travel) may show different IPs.
 47- Consider excluding known developer machines, managed devices, or specific user groups that regularly use these tools.
 48- Maintain an allowlist of expected source IPs tied to corporate infrastructure or developer environments.
 49
 50### Response and remediation
 51
 52- Contact the user immediately to confirm if they initiated the OAuth flow and used the detected application.
 53- If unauthorized, revoke all refresh tokens for the user via Microsoft Entra ID portal or PowerShell.
 54- Review the user's recent Microsoft Graph activity (email access, file downloads, Teams messages) for signs of data exfiltration.
 55- Block the source IP if confirmed malicious.
 56- Check for any devices registered during this session via `azure.auditlogs` and remove unauthorized device registrations.
 57- Implement Conditional Access policies to restrict OAuth flows for these applications to compliant devices only.
 58- Educate users about OAuth phishing and the risks of pasting authorization codes into websites.
 59"""
 60references = [
 61    "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
 62    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 63    "https://pushsecurity.com/blog/consentfix",
 64    "https://github.com/secureworks/family-of-client-ids-research",
 65]
 66risk_score = 47
 67rule_id = "14fa0285-fe78-4843-ac8e-f4b481f49da9"
 68severity = "medium"
 69tags = [
 70    "Domain: Cloud",
 71    "Data Source: Azure",
 72    "Data Source: Microsoft Entra ID",
 73    "Data Source: Microsoft Entra ID Sign-in Logs",
 74    "Use Case: Identity and Access Audit",
 75    "Resources: Investigation Guide",
 76    "Tactic: Initial Access",
 77]
 78timestamp_override = "event.ingested"
 79type = "query"
 80
 81query = '''
 82event.dataset: "azure.signinlogs" and
 83event.action: "Sign-in activity" and
 84event.outcome: "success" and
 85(
 86  (
 87    azure.signinlogs.properties.app_id: (
 88      "aebc6443-996d-45c2-90f0-388ff96faa56" or
 89      "04b07795-8ddb-461a-bbee-02f9e1bf7b46" or
 90      "1950a258-227b-4e31-a9cf-717495945fc2"
 91    ) and (
 92      azure.signinlogs.properties.resource_id: ("00000003-0000-0000-c000-000000000000" or "00000002-0000-0000-c000-000000000000") or
 93      azure.signinlogs.properties.resource_display_name: ("Microsoft Graph" or "Windows Azure Active Directory")
 94    )
 95  ) or
 96  (
 97    azure.signinlogs.properties.app_id: (
 98      "00b41c95-dab0-4487-9791-b9d2c32c80f2" or
 99      "1fec8e78-bce4-4aaf-ab1b-5451cc387264" or
100      "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or
101      "27922004-5251-4030-b22d-91ecd9a37ea4" or
102      "4813382a-8fa7-425e-ab75-3b753aab3abb" or
103      "ab9b8c07-8f02-4f72-87fa-80105867a763" or
104      "872cd9fa-d31f-45e0-9eab-6e460a02d1f1" or
105      "af124e86-4e96-495a-b70a-90f90ab96707" or
106      "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8" or
107      "844cca35-0656-46ce-b636-13f48b0eecbd" or
108      "87749df4-7ccf-48f8-aa87-704bad0e0e16" or
109      "cf36b471-5b44-428c-9ce7-313bf84528de" or
110      "0ec893e0-5785-4de6-99da-4ed124e5296c" or
111      "22098786-6e16-43cc-a27d-191a01a1e3b5" or
112      "4e291c71-d680-4d0e-9640-0a3358e31177" or
113      "57336123-6e14-4acc-8dcf-287b6088aa28" or
114      "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0" or
115      "66375f6b-983f-4c2c-9701-d680650f588f" or
116      "a40d7d7d-59aa-447e-a655-679a4107e548" or
117      "a569458c-7f2b-45cb-bab9-b7dee514d112" or
118      "b26aadf8-566f-4478-926f-589f601d9c74" or
119      "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12" or
120      "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0" or
121      "e9c51622-460d-4d3d-952d-966a5b1da34c" or
122      "eb539595-3fe1-474e-9c1d-feb3625d1be5" or
123      "ecd6b820-32c2-49b6-98a6-444530e5a77a" or
124      "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d" or
125      "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34" or
126      "be1918be-3fe3-4be9-b32b-b542fc27f02e" or
127      "cab96880-db5b-4e15-90a7-f3f1d62ffe39" or
128      "d7b530a4-7680-4c23-a8bf-c52c121d2e87" or
129      "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3" or
130      "e9b154d0-7658-433b-bb25-6b8e0a8a7c59"
131    ) and (
132      azure.signinlogs.properties.resource_id: "00000002-0000-0000-c000-000000000000" or
133      azure.signinlogs.properties.resource_display_name: "Windows Azure Active Directory"
134    )
135  )
136)
137'''
138
139
140[[rule.threat]]
141framework = "MITRE ATT&CK"
142[[rule.threat.technique]]
143id = "T1078"
144name = "Valid Accounts"
145reference = "https://attack.mitre.org/techniques/T1078/"
146[[rule.threat.technique.subtechnique]]
147id = "T1078.004"
148name = "Cloud Accounts"
149reference = "https://attack.mitre.org/techniques/T1078/004/"
150
151
152[[rule.threat.technique]]
153id = "T1566"
154name = "Phishing"
155reference = "https://attack.mitre.org/techniques/T1566/"
156[[rule.threat.technique.subtechnique]]
157id = "T1566.002"
158name = "Spearphishing Link"
159reference = "https://attack.mitre.org/techniques/T1566/002/"
160
161
162
163[rule.threat.tactic]
164id = "TA0001"
165name = "Initial Access"
166reference = "https://attack.mitre.org/tactics/TA0001/"
167[[rule.threat]]
168framework = "MITRE ATT&CK"
169[[rule.threat.technique]]
170id = "T1528"
171name = "Steal Application Access Token"
172reference = "https://attack.mitre.org/techniques/T1528/"
173
174
175[rule.threat.tactic]
176id = "TA0006"
177name = "Credential Access"
178reference = "https://attack.mitre.org/tactics/TA0006/"