Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)

  1[metadata]
  2creation_date = "2026/05/14"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/05/14"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle
 11(AiTM) activity: the Microsoft Authentication Broker requesting tokens for Microsoft Graph or Exchange Online, or the
 12Office web client application authenticating to itself, combined with Node.js-style user agents (node, axios, undici).
 13Tycoon 2FA bypasses MFA by relaying authentication and capturing session material, often targeting Microsoft 365 and
 14Gmail. Baseline legitimate automation and developer tooling before tuning.
 15"""
 16false_positives = [
 17    """
 18    Legitimate Node.js or undici-based automation, health checks, or internal services that use the Microsoft
 19    Authentication Broker or the same first-party application IDs against Graph or Exchange may match. Developers using
 20    axios or undici with delegated flows can also resemble this pattern.
 21    """,
 22]
 23from = "now-9m"
 24index = ["logs-azure.signinlogs-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)"
 28note = """## Triage and analysis
 29
 30### Investigating Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)
 31
 32Review user.name, azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.app_id,
 33azure.signinlogs.properties.resource_id, user_agent.original, source.ip, source.geo fields, and
 34azure.signinlogs.properties.session_id.
 35
 36Confirm whether the user intentionally signed in and whether Node.js-style user agents (node, axios, undici) are
 37expected for Microsoft Authentication Broker or Office web client flows in your environment.
 38
 39### Possible investigation steps
 40
 41- Correlate the session with Microsoft Graph activity logs and mailbox audit for follow-on data access.
 42- Review conditional access outcomes and MFA detail for the same session.
 43- Hunt for other sign-ins from the same source IP with unusual user agents or rapid OAuth patterns.
 44
 45### Response and remediation
 46
 47- If malicious, revoke refresh tokens for the user, reset credentials per policy, and review application consent.
 48- Block or monitor the source IP and escalate per incident procedures.
 49"""
 50references = ["https://any.run/malware-trends/tycoon/"]
 51risk_score = 73
 52rule_id = "6e6376c1-a71e-4789-a795-198b05664064"
 53severity = "high"
 54tags = [
 55    "Domain: Cloud",
 56    "Domain: Identity",
 57    "Data Source: Azure",
 58    "Data Source: Microsoft Entra ID",
 59    "Data Source: Microsoft Entra ID Sign-in Logs",
 60    "Use Case: Threat Detection",
 61    "Threat: Tycoon2FA",
 62    "Tactic: Initial Access",
 63    "Tactic: Credential Access",
 64    "Resources: Investigation Guide",
 65]
 66timestamp_override = "event.ingested"
 67type = "query"
 68query = '''
 69data_stream.dataset:"azure.signinlogs" and event.category:"authentication" and
 70event.action:"Sign-in activity" and
 71(
 72    (
 73        azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
 74        azure.signinlogs.properties.resource_id:(
 75            "00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000"
 76        )
 77    ) or
 78    (
 79        azure.signinlogs.properties.app_id:"4765445b-32c6-49b0-83e6-1d93765276ca" and
 80        azure.signinlogs.properties.resource_id:"4765445b-32c6-49b0-83e6-1d93765276ca"
 81    )
 82) and user_agent.original:(node or axios* or undici)
 83'''
 84
 85[rule.investigation_fields]
 86field_names = [
 87    "@timestamp",
 88    "user.name",
 89    "user_agent.original",
 90    "source.ip",
 91    "source.geo.country_name",
 92    "event.outcome",
 93    "azure.signinlogs.properties.user_principal_name",
 94    "azure.signinlogs.properties.session_id",
 95    "azure.signinlogs.properties.app_display_name",
 96    "azure.signinlogs.properties.app_id",
 97    "azure.signinlogs.properties.resource_display_name",
 98    "azure.signinlogs.properties.resource_id",
 99    "azure.signinlogs.properties.authentication_protocol",
100    "azure.tenant_id",
101]
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106[[rule.threat.technique]]
107id = "T1566"
108name = "Phishing"
109reference = "https://attack.mitre.org/techniques/T1566/"
110
111[rule.threat.tactic]
112id = "TA0001"
113name = "Initial Access"
114reference = "https://attack.mitre.org/tactics/TA0001/"
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118
119[[rule.threat.technique]]
120id = "T1539"
121name = "Steal Web Session Cookie"
122reference = "https://attack.mitre.org/techniques/T1539/"
123
124[rule.threat.tactic]
125id = "TA0006"
126name = "Credential Access"
127reference = "https://attack.mitre.org/tactics/TA0006/"