LoFP / rare legitimate interactive device code flows that use the microsoft authentication broker against exchange, graph, or yammer may match, for example during troubleshooting or specialized kiosk setups. document approved scenarios and exclude known principals or networks.

Techniques

• T1078
• T1550
• T1566

Sample rules

Entra ID OAuth Device Code Phishing via AiTM

• source: elastic
• technicques:
  • T1078
  • T1550
  • T1566

Description

Detects successful Microsoft Entra ID sign-ins that use the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources (Exchange Online, Microsoft Graph, or SharePoint) while flagged as interactive. This pattern is associated with adversary-in-the-middle (AiTM) phishing kits such as Tycoon 2FA, where victims complete device code flows that ultimately broker tokens for mail and collaboration APIs.

Detection logic

data_stream.dataset:"azure.signinlogs" and event.category:"authentication" and event.action:"Sign-in activity" and
event.outcome:success and azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
azure.signinlogs.properties.authentication_protocol:deviceCode and
azure.signinlogs.properties.resource_id:(
    "00000002-0000-0ff1-ce00-000000000000" or
    "00000003-0000-0ff1-ce00-000000000000" or
    "00000005-0000-0ff1-ce00-000000000000"
) and azure.signinlogs.properties.is_interactive:true