Elastic Security Detection Rules

M365 Identity OAuth Flow by Visual Studio Code Client to Microsoft Graph

Last updated 22 days ago on 2025-12-10
Created 8 months ago on 2025-04-23

About

Detects potentially suspicious OAuth authorization activity in Microsoft 365 where the Visual Studio Code first-party application (client_id = aebc6443-996d-45c2-90f0-388ff96faa56) is used to request access to Microsoft Graph resources. While this client ID is legitimately used by Visual Studio Code, threat actors have been observed abusing it in phishing campaigns to make OAuth requests appear trustworthy. These attacks rely on redirect URIs such as VSCode Insiders redirect location, prompting victims to return an OAuth authorization code that can be exchanged for access tokens. This rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or credential phishing activity.
Tags
Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditTactic: Initial AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CKβ„’

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

↳ Phishing (T1566)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-o365.audit-*
Related Integrations

o365(external, opens in a new tab or window)

Query
text code block:
event.dataset: "o365.audit"
    and event.action: "UserLoggedIn"
    and o365.audit.ApplicationId: "aebc6443-996d-45c2-90f0-388ff96faa56"
    and o365.audit.Target.ID: "00000003-0000-0000-c000-000000000000"
    and o365.audit.ExtendedProperties.RequestType: "OAuth2:Authorize"
    and o365.audit.ExtendedProperties.ResultStatusDetail: "Redirect"
    and o365.audit.UserType: ("0" or "2" or "3" or "5" or "6" or "10")

Install detection rules in Elastic Security

Detect M365 Identity OAuth Flow by Visual Studio Code Client to Microsoft Graph in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).