M365 Identity Device Code Grant with Unusual User and ASN

  1[metadata]
  2creation_date = "2026/06/01"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/06/01"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a Microsoft 365 OAuth device code grant ("Cmsi:Cmsi") with application Microsoft Authentication Broker
 11("29d9ed98-a469-4536-ade2-f981bc1d605e") for Microsoft Graph from a source ASN not previously observed for that user in
 12a historical window. Phishing kits leveraging device code phishing complete the full login (password and MFA) at the
 13genuine Microsoft endpoint and harvest the resulting token by polling, so MFA does not stop them and the authorization
 14commonly originates from attacker-controlled residential proxy or hosting infrastructure rather than the user's normal
 15network.
 16"""
 17false_positives = [
 18    """
 19    A user authenticating via the device code flow for the first time from a new but legitimate network, such as travel,
 20    a new home or office ISP, a corporate VPN, or a mobile carrier. Device code authentication is expected when
 21    enrolling or signing in on input-constrained devices (smart TVs, kiosks, IoT, conference room devices) and for some
 22    CLI or headless developer workflows. Review the source ASN, geolocation, and the user's prior device code history to
 23    confirm whether the origin is plausible before escalating.
 24    """,
 25]
 26from = "now-9m"
 27index = ["logs-o365.audit-*"]
 28language = "kuery"
 29license = "Elastic License v2"
 30name = "M365 Identity Device Code Grant with Unusual User and ASN"
 31note = """## Triage and analysis
 32
 33### Investigating M365 Identity Device Code Grant with Unusual User and ASN
 34
 35This rule detects a user completing an OAuth device code grant (`Cmsi:Cmsi`) to the Microsoft Authentication Broker for Microsoft Graph from a source ASN not seen for that user within the rule's historical window (defined by the new terms history setting). A match means the user has not authenticated via this flow from that ASN during the lookback window, not necessarily that it has never happened. Device code phishing kits (for example Kali365, Storm-2372 tradecraft) drive the device code flow against the genuine Microsoft endpoint and poll the token endpoint in the background, so the victim satisfies MFA while the attacker harvests a fully MFA-satisfied token. The grant therefore frequently appears from residential proxy or hosting/datacenter infrastructure the user has not authenticated from during the window.
 36
 37### Possible investigation steps
 38
 39- Review `o365.audit.UserId` to identify the impacted account and confirm whether the user expected to perform a device code sign-in.
 40- Inspect `source.as.number` and `source.as.organization.name` for the source ASN. Hosting, VPN, or datacenter providers (for example Tencent, Alibaba, DigitalOcean) are unusual for interactive user authentication.
 41- Review `source.ip`, `source.geo.country_name`, and `source.geo.city_name` and compare with the user's normal sign-in locations.
 42- Examine `o365.audit.DeviceProperties` and `user_agent.original` for non-managed devices and automation or headless-browser patterns.
 43- Confirm `o365.audit.ApplicationId` is the Microsoft Authentication Broker (`29d9ed98-a469-4536-ade2-f981bc1d605e`) and `o365.audit.Target.ID` is Microsoft Graph (`00000003-0000-0000-c000-000000000000`).
 44- Pivot to `azure.signinlogs` for the corresponding `deviceCode` sign-in, including `is_interactive`, conditional access decisions, and any concurrent non-interactive token-issuance legs from a different ASN (the kit's polling backend).
 45- Pivot to `azure.graphactivitylogs` for follow-up Graph activity (`/me` recon, mailbox or file enumeration) from the same or related ASNs.
 46- Check `azure.auditlogs` for subsequent device registration events on the user, which device code phishing kits use to establish Primary Refresh Token persistence.
 47
 48### False positive analysis
 49
 50- A legitimate first-time device code sign-in from a new ISP, mobile carrier, corporate VPN, or while traveling.
 51- Provisioning of input-constrained devices (smart TVs, kiosks, IoT, conference room devices).
 52- CLI or headless developer workflows that use the device code flow against the Authentication Broker.
 53- If a source ASN is confirmed benign and recurring for the environment, suppress it via a rule exception rather than broadening the query.
 54
 55### Response and remediation
 56
 57- Contact the user to confirm whether they initiated the device code sign-in or may have entered a code presented on a phishing page.
 58- If unauthorized, revoke all refresh tokens for the user and reset credentials to invalidate the harvested token.
 59- Review and remove any unauthorized device registrations to cut off Primary Refresh Token persistence.
 60- Review recent Microsoft Graph, Exchange, SharePoint, and Teams activity for the user for signs of recon or exfiltration.
 61- Restrict device code authentication to only the users and applications that require it via Conditional Access authentication flow policies.
 62- Educate users on device code phishing and the risk of entering codes presented by unsolicited documents or messages.
 63"""
 64references = [
 65    "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/",
 66    "https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/",
 67    "https://www.ic3.gov/PSA/2026/PSA260521",
 68    "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",
 69    "https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/",
 70]
 71risk_score = 73
 72rule_id = "ed2461e1-d6bf-4550-87b9-c008d6ac15f4"
 73setup = """#### Required Microsoft 365 Audit Logs
 74This rule requires the Microsoft 365 integration with unified audit logs (Azure AD / Entra sign-in events surfaced in the Microsoft 365 audit log) enabled and shipping to Elastic.
 75"""
 76severity = "high"
 77tags = [
 78    "Domain: Cloud",
 79    "Domain: SaaS",
 80    "Domain: Identity",
 81    "Data Source: Microsoft 365",
 82    "Data Source: Microsoft 365 Audit Logs",
 83    "Use Case: Identity and Access Audit",
 84    "Use Case: Threat Detection",
 85    "Resources: Investigation Guide",
 86    "Tactic: Initial Access",
 87]
 88timestamp_override = "event.ingested"
 89type = "new_terms"
 90
 91query = '''
 92event.dataset: "o365.audit"
 93    and o365.audit.ExtendedProperties.RequestType: "Cmsi:Cmsi"
 94    and o365.audit.Actor.Type: (0 or 2 or 3 or 5 or 10)
 95    and o365.audit.ApplicationId: "29d9ed98-a469-4536-ade2-f981bc1d605e"
 96    and o365.audit.Target.ID: "00000003-0000-0000-c000-000000000000"
 97    and o365.audit.DeviceProperties.Value: "False"
 98'''
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1078"
105name = "Valid Accounts"
106reference = "https://attack.mitre.org/techniques/T1078/"
107[[rule.threat.technique.subtechnique]]
108id = "T1078.004"
109name = "Cloud Accounts"
110reference = "https://attack.mitre.org/techniques/T1078/004/"
111
112
113[[rule.threat.technique]]
114id = "T1566"
115name = "Phishing"
116reference = "https://attack.mitre.org/techniques/T1566/"
117[[rule.threat.technique.subtechnique]]
118id = "T1566.002"
119name = "Spearphishing Link"
120reference = "https://attack.mitre.org/techniques/T1566/002/"
121
122
123
124[rule.threat.tactic]
125id = "TA0001"
126name = "Initial Access"
127reference = "https://attack.mitre.org/tactics/TA0001/"
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130[[rule.threat.technique]]
131id = "T1550"
132name = "Use Alternate Authentication Material"
133reference = "https://attack.mitre.org/techniques/T1550/"
134[[rule.threat.technique.subtechnique]]
135id = "T1550.001"
136name = "Application Access Token"
137reference = "https://attack.mitre.org/techniques/T1550/001/"
138
139
140
141[rule.threat.tactic]
142id = "TA0005"
143name = "Defense Evasion"
144reference = "https://attack.mitre.org/tactics/TA0005/"
145
146[rule.new_terms]
147field = "new_terms_fields"
148value = ["o365.audit.UserId", "source.as.number"]
149[[rule.new_terms.history_window_start]]
150field = "history_window_start"
151value = "now-7d"