Microsoft 365 OAuth Redirect to Device Registration for User Principal

  1[metadata]
  2creation_date = "2025/04/30"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2025/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to register a new device in Microsoft Entra ID after OAuth authentication with authorization code
 11grant. Adversaries may use OAuth phishing techniques to obtain an OAuth authorization code, which can then be exchanged
 12for access and refresh tokens. This rule detects a sequence of events where a user principal authenticates via OAuth,
 13followed by a device registration event, indicating potential misuse of the OAuth flow to establish persistence or
 14access resources.
 15"""
 16from = "now-30m"
 17index = ["filebeat-*", "logs-o365.audit-*"]
 18interval = "15m"
 19language = "eql"
 20license = "Elastic License v2"
 21name = "Microsoft 365 OAuth Redirect to Device Registration for User Principal"
 22note = """## Triage and analysis
 23
 24### Investigating Microsoft 365 OAuth Redirect to Device Registration for User Principal
 25
 26### Possible investigation steps
 27- Review the two UserLoggedIn logs to confirm that they come from different source.ip values and are associated to the same account.
 28- Verify all events associated to the source.ip of the the second event in the sequence.
 29- Investiguate the details of the new device that was added by reviewing the o365.audit.ModifiedProperties.Device_DisplayName.NewValue attribute.
 30- Investigate the user account associated with the successful sign-in to determine if this activity aligns with expected behavior or if it appears suspicious.
 31- Review the history of sign-ins for the user to identify any patterns or unusual access times that could suggest unauthorized access.
 32- Assess the device from which the sign-in was attempted to ensure it is a recognized and authorized device for the user.
 33
 34### False positive analysis
 35- Both authentcation events of the sequence are originatng from the same source.ip.
 36- User using multiple devices and attempted to add a new device post an OAuth code authentication.
 37
 38### Response and remediation
 39- Immediately revoke the compromised Primary Refresh Tokens (PRTs) to prevent further unauthorized access. This can be done through the Azure portal by navigating to the user's account and invalidating all active sessions.
 40- Enforce a password reset for the affected user accounts to ensure that any credentials potentially compromised during the attack are no longer valid.
 41- Implement additional Conditional Access policies that require device compliance checks and restrict access to trusted locations or devices only, to mitigate the risk of future PRT abuse.
 42- Conduct a thorough review of the affected accounts' recent activity logs to identify any unauthorized actions or data access that may have occurred during the compromise.
 43- Escalate the incident to the security operations team for further investigation and to determine if there are any broader implications or additional compromised accounts.
 44- Enhance monitoring by configuring alerts for unusual sign-in patterns or device code authentication attempts from unexpected locations or devices, to improve early detection of similar threats.
 45- Coordinate with the incident response team to perform a post-incident analysis and update the incident response plan with lessons learned from this event."""
 46references = [
 47    "https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow",
 48    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 49]
 50risk_score = 73
 51rule_id = "fcd2e4be-6ec4-482f-9222-6245367cd738"
 52severity = "high"
 53tags = [
 54    "Domain: Cloud",
 55    "Domain: SaaS",
 56    "Data Source: Microsoft 365",
 57    "Data Source: Microsoft 365 Audit Logs",
 58    "Use Case: Identity and Access Audit",
 59    "Tactic: Credential Access",
 60    "Resources: Investigation Guide",
 61]
 62timestamp_override = "event.ingested"
 63type = "eql"
 64
 65query = '''
 66sequence by related.user with maxspan=30m
 67[authentication where event.action == "UserLoggedIn" and
 68 o365.audit.ExtendedProperties.RequestType == "OAuth2:Authorize" and o365.audit.ExtendedProperties.ResultStatusDetail == "Redirect" and
 69 o365.audit.UserType: ("0", "2", "3", "10")] // victim source.ip
 70[authentication where event.action == "UserLoggedIn" and
 71 o365.audit.ExtendedProperties.RequestType == "OAuth2:Token" and o365.audit.ExtendedProperties.ResultStatusDetail == "Success"] // attacker source.ip to convert oauth code to token
 72[web where event.dataset == "o365.audit" and event.action == "Add registered users to device."] // user.name is captured in related.user
 73'''
 74
 75
 76[[rule.threat]]
 77framework = "MITRE ATT&CK"
 78[[rule.threat.technique]]
 79id = "T1528"
 80name = "Steal Application Access Token"
 81reference = "https://attack.mitre.org/techniques/T1528/"
 82
 83
 84[rule.threat.tactic]
 85id = "TA0006"
 86name = "Credential Access"
 87reference = "https://attack.mitre.org/tactics/TA0006/"
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1098"
 92name = "Account Manipulation"
 93reference = "https://attack.mitre.org/techniques/T1098/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1098.005"
 96name = "Device Registration"
 97reference = "https://attack.mitre.org/techniques/T1098/005/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0003"
103name = "Persistence"
104reference = "https://attack.mitre.org/tactics/TA0003/"