M365 Identity OAuth Phishing via First-Party Microsoft Application

  1[metadata]
  2creation_date = "2025/04/23"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2025/12/17"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects potentially suspicious OAuth authorization activity in Microsoft 365 where first-party Microsoft applications
 11from the FOCI (Family of Client IDs) group request access to Microsoft Graph or legacy Azure AD resources. Developer
 12tools like Azure CLI, Visual Studio Code, and Azure PowerShell accessing these resources are flagged, as they are
 13commonly abused in phishing campaigns like ConsentFix. Additionally, any FOCI family application accessing the
 14deprecated Windows Azure Active Directory resource is flagged since this API is rarely used legitimately and attackers
 15target it for stealth. First-party apps are trusted by default in all tenants and cannot be blocked, making them ideal
 16for OAuth phishing attacks.
 17"""
 18from = "now-25m"
 19index = ["logs-o365.audit-*"]
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "M365 Identity OAuth Phishing via First-Party Microsoft Application"
 23note = """## Triage and analysis
 24
 25### Investigating M365 Identity OAuth Phishing via First-Party Microsoft Application
 26
 27This rule detects OAuth authorization activity where FOCI (Family of Client IDs) applications access Microsoft Graph or legacy Azure AD resources. Adversaries exploit these trusted first-party apps in phishing campaigns like ConsentFix to steal authorization codes and exchange them for tokens from attacker infrastructure. The rule specifically looks for `OAuth2:Authorize` requests with `Redirect` status, which indicates the user was redirected after authorization and the OAuth code was exposed.
 28
 29The rule uses split detection logic: developer tools (Azure CLI, VSCode, PowerShell) accessing either Graph or legacy AAD are flagged, while any FOCI app accessing legacy AAD is flagged since this deprecated API is rarely used legitimately and attackers target it for stealth.
 30
 31### Possible investigation steps
 32
 33- Review `o365.audit.UserId` to identify the impacted account and validate whether the user expected to authorize the application.
 34- Check `o365.audit.ActorIpAddress` for unexpected IPs, especially outside corporate ranges or from proxy/VPN networks.
 35- Examine `user_agent.original` and `o365.audit.DeviceProperties` for suspicious patterns (automation tools, headless browsers, unusual browser/OS combinations).
 36- Confirm `o365.audit.Target.ID` to identify the resource being accessed. Legacy AAD (`00000002-0000-0000-c000-000000000000`) access is unusual for most users.
 37- Review `o365.audit.ExtendedProperties.RequestType` and `ResultStatusDetail` - `OAuth2:Authorize` with `Redirect` indicates the OAuth code was exposed to the user.
 38- Look for subsequent `OAuth2:Token` events from different IPs using the same `o365.audit.UserId`, which indicates token exchange from attacker infrastructure.
 39- Pivot to `azure.graphactivitylogs` to check for follow-up Graph API activity (mailbox enumeration, file access) from unfamiliar locations.
 40- Correlate with `azure.signinlogs` for additional sign-in context and device details.
 41
 42### False positive analysis
 43
 44- Developers or IT users intentionally using Visual Studio Code, Azure CLI, or Azure PowerShell to connect to Microsoft 365.
 45- Legitimate VS Code extensions that sync or query Graph API data (calendars, tasks, cloud-hosted notebooks).
 46- Enterprise automation or CI/CD pipelines using these tools with user-delegated permissions.
 47- Exclude known user agents and hosts that regularly use these applications against Graph.
 48- Whitelist specific source IPs or devices tied to developer machines.
 49
 50### Response and remediation
 51
 52- Contact the user to confirm if they expected this login or may have shared an OAuth code via phishing page, Signal, or WhatsApp.
 53- If unauthorized, revoke all refresh tokens for the user and reset credentials.
 54- Review recent Microsoft Graph activity (email, file access, Teams) for signs of data exfiltration.
 55- Block or restrict future use of OAuth tokens from unknown apps or IPs via Conditional Access.
 56- Check `azure.auditlogs` for device registration events and remove any unauthorized registrations.
 57- Educate users about OAuth phishing techniques and the risks of sharing authorization codes.
 58"""
 59references = [
 60    "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
 61    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 62    "https://pushsecurity.com/blog/consentfix",
 63    "https://github.com/secureworks/family-of-client-ids-research",
 64]
 65risk_score = 47
 66rule_id = "929d0766-204b-11f0-9c1f-f661ea17fbcd"
 67severity = "medium"
 68tags = [
 69    "Domain: Cloud",
 70    "Domain: SaaS",
 71    "Data Source: Microsoft 365",
 72    "Data Source: Microsoft 365 Audit Logs",
 73    "Use Case: Identity and Access Audit",
 74    "Resources: Investigation Guide",
 75    "Tactic: Initial Access",
 76]
 77timestamp_override = "event.ingested"
 78type = "query"
 79
 80query = '''
 81event.dataset: "o365.audit"
 82    and event.action: "UserLoggedIn"
 83    and o365.audit.ExtendedProperties.RequestType: "OAuth2:Authorize"
 84    and o365.audit.ExtendedProperties.ResultStatusDetail: "Redirect"
 85    and o365.audit.UserType: ("0" or "2" or "3" or "5" or "6" or "10")
 86    and (
 87        (
 88            o365.audit.ApplicationId: (
 89                "aebc6443-996d-45c2-90f0-388ff96faa56" or
 90                "04b07795-8ddb-461a-bbee-02f9e1bf7b46" or
 91                "1950a258-227b-4e31-a9cf-717495945fc2"
 92            )
 93            and o365.audit.Target.ID: (
 94                "00000003-0000-0000-c000-000000000000" or
 95                "00000002-0000-0000-c000-000000000000"
 96            )
 97        ) or
 98        (
 99            o365.audit.ApplicationId: (
100                "00b41c95-dab0-4487-9791-b9d2c32c80f2" or
101                "1fec8e78-bce4-4aaf-ab1b-5451cc387264" or
102                "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or
103                "27922004-5251-4030-b22d-91ecd9a37ea4" or
104                "4813382a-8fa7-425e-ab75-3b753aab3abb" or
105                "ab9b8c07-8f02-4f72-87fa-80105867a763" or
106                "d3590ed6-52b3-4102-aeff-aad2292ab01c" or
107                "872cd9fa-d31f-45e0-9eab-6e460a02d1f1" or
108                "af124e86-4e96-495a-b70a-90f90ab96707" or
109                "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8" or
110                "844cca35-0656-46ce-b636-13f48b0eecbd" or
111                "87749df4-7ccf-48f8-aa87-704bad0e0e16" or
112                "cf36b471-5b44-428c-9ce7-313bf84528de" or
113                "0ec893e0-5785-4de6-99da-4ed124e5296c" or
114                "22098786-6e16-43cc-a27d-191a01a1e3b5" or
115                "4e291c71-d680-4d0e-9640-0a3358e31177" or
116                "57336123-6e14-4acc-8dcf-287b6088aa28" or
117                "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0" or
118                "66375f6b-983f-4c2c-9701-d680650f588f" or
119                "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" or
120                "a40d7d7d-59aa-447e-a655-679a4107e548" or
121                "a569458c-7f2b-45cb-bab9-b7dee514d112" or
122                "b26aadf8-566f-4478-926f-589f601d9c74" or
123                "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12" or
124                "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0" or
125                "e9c51622-460d-4d3d-952d-966a5b1da34c" or
126                "eb539595-3fe1-474e-9c1d-feb3625d1be5" or
127                "ecd6b820-32c2-49b6-98a6-444530e5a77a" or
128                "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d" or
129                "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34" or
130                "be1918be-3fe3-4be9-b32b-b542fc27f02e" or
131                "cab96880-db5b-4e15-90a7-f3f1d62ffe39" or
132                "d7b530a4-7680-4c23-a8bf-c52c121d2e87" or
133                "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3" or
134                "e9b154d0-7658-433b-bb25-6b8e0a8a7c59"
135            )
136            and o365.audit.Target.ID: "00000002-0000-0000-c000-000000000000"
137        )
138    )
139'''
140
141
142[[rule.threat]]
143framework = "MITRE ATT&CK"
144[[rule.threat.technique]]
145id = "T1078"
146name = "Valid Accounts"
147reference = "https://attack.mitre.org/techniques/T1078/"
148[[rule.threat.technique.subtechnique]]
149id = "T1078.004"
150name = "Cloud Accounts"
151reference = "https://attack.mitre.org/techniques/T1078/004/"
152
153
154[[rule.threat.technique]]
155id = "T1566"
156name = "Phishing"
157reference = "https://attack.mitre.org/techniques/T1566/"
158[[rule.threat.technique.subtechnique]]
159id = "T1566.002"
160name = "Spearphishing Link"
161reference = "https://attack.mitre.org/techniques/T1566/002/"
162
163
164
165[rule.threat.tactic]
166id = "TA0001"
167name = "Initial Access"
168reference = "https://attack.mitre.org/tactics/TA0001/"