LoFP / in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.

Techniques

• T1528
• T1566
• T1566.002

Sample rules

Azure AD Device Code Authentication

• source: splunk
• technicques:
  • T1528
  • T1566
  • T1566.002

Description

The following analytic identifies the execution of the Azure Device Code Phishing attack, which can lead to Azure Account Take-Over (ATO). The detection leverages Azure AD logs specifically focusing on authentication requests to identify the attack. This technique involves creating malicious infrastructure, bypassing Multi-Factor Authentication (MFA), and bypassing Conditional Access Policies (CAPs). The attack aims to compromise users by sending them phishing emails from attacker-controlled domains and trick the victims into performing OAuth 2.0 device authentication. A successful execution of this attack can result in adversaries gaining unauthorized access to Azure AD, Exchange mailboxes, and the target’s Outlook Web Application (OWA). This attack technique was detailed by security researchers including Bobby Cooke, Stephan Borosh, and others. It’s crucial for organizations to be aware of this threat, as it can lead to unauthorized access and potential data breaches.

Detection logic

`azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode 
| rename properties.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime by user src_ip, appDisplayName, userAgent 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_device_code_authentication_filter`