M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)

  1[metadata]
  2creation_date = "2026/05/14"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/05/14"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects Microsoft 365 audit "UserLoggedIn" events consistent with Tycoon 2FA phishing-as-a-service (PhaaS)
 11adversary-in-the-middle (AiTM) activity: the Microsoft Authentication Broker requesting access where the object
 12identifier matches Microsoft Graph or Exchange Online, or the Office web client application authenticating to itself,
 13combined with Node.js-style user agents (node, axios, undici). Tycoon 2FA bypasses MFA by relaying authentication and
 14capturing session material, often targeting Microsoft 365 and Gmail. Baseline legitimate automation and developer
 15tooling before tuning.
 16"""
 17false_positives = [
 18    """
 19    Legitimate Node.js or undici-based automation, health checks, or internal services that use the Microsoft
 20    Authentication Broker or the same first-party application IDs against Graph or Exchange may match. Developers using
 21    axios or undici with delegated flows can also resemble this pattern.
 22    """,
 23]
 24from = "now-9m"
 25index = ["logs-o365.audit-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)"
 29note = """## Triage and analysis
 30
 31### Investigating M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)
 32
 33Review `o365.audit.UserId`, `user_agent.original`, `source.ip` or `o365.audit.ActorIpAddress`, and related Entra ID
 34sign-in logs (`azure.signinlogs`) for the same session or time window.
 35
 36Confirm whether the account owner intentionally authenticated and whether Node.js-style user agents (node, axios, undici)
 37are expected for Microsoft Authentication Broker or Office web client flows in your environment.
 38
 39### Possible investigation steps
 40
 41- Correlate with `azure.signinlogs` for matching user principal name, IP, and session identifiers.
 42- Review Microsoft Graph or Exchange audit activity following the login for mailbox or data access anomalies.
 43- Hunt for other `UserLoggedIn` events from the same source with unusual user agents or rapid OAuth patterns.
 44
 45### Response and remediation
 46
 47- If malicious, revoke refresh tokens for the user, reset credentials per policy, and review conditional access outcomes.
 48- Block or monitor the source IP and escalate per incident procedures.
 49"""
 50references = ["https://any.run/malware-trends/tycoon/"]
 51risk_score = 73
 52rule_id = "275b972d-2fed-44fc-9214-08603b3318e3"
 53severity = "high"
 54tags = [
 55    "Domain: Cloud",
 56    "Domain: Identity",
 57    "Domain: SaaS",
 58    "Data Source: Microsoft 365",
 59    "Data Source: Microsoft 365 Audit Logs",
 60    "Use Case: Threat Detection",
 61    "Threat: Tycoon2FA",
 62    "Tactic: Initial Access",
 63    "Tactic: Credential Access",
 64    "Resources: Investigation Guide",
 65]
 66timestamp_override = "event.ingested"
 67type = "query"
 68query = '''
 69data_stream.dataset:"o365.audit" and event.category:"authentication" and event.action:"UserLoggedIn" and
 70(
 71    (
 72        o365.audit.ApplicationId:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
 73        o365.audit.ObjectId:(
 74            "00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000"
 75        )
 76    ) or
 77    (
 78        o365.audit.ApplicationId:"4765445b-32c6-49b0-83e6-1d93765276ca" and
 79        o365.audit.ObjectId:"4765445b-32c6-49b0-83e6-1d93765276ca"
 80    )
 81) and user_agent.original:(node or axios* or undici)
 82'''
 83
 84[rule.investigation_fields]
 85field_names = [
 86    "@timestamp",
 87    "o365.audit.UserId",
 88    "user_agent.original",
 89    "source.ip",
 90    "o365.audit.ActorIpAddress",
 91    "source.geo.country_name",
 92    "event.outcome",
 93    "o365.audit.ApplicationId",
 94    "o365.audit.ObjectId",
 95    "o365.audit.ExtendedProperties.RequestType",
 96    "event.provider",
 97]
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1566"
104name = "Phishing"
105reference = "https://attack.mitre.org/techniques/T1566/"
106
107[rule.threat.tactic]
108id = "TA0001"
109name = "Initial Access"
110reference = "https://attack.mitre.org/tactics/TA0001/"
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114
115[[rule.threat.technique]]
116id = "T1539"
117name = "Steal Web Session Cookie"
118reference = "https://attack.mitre.org/techniques/T1539/"
119
120[rule.threat.tactic]
121id = "TA0006"
122name = "Credential Access"
123reference = "https://attack.mitre.org/tactics/TA0006/"