Entra ID AiTM Phishing-Kit Chain Detected

Last updated 10 days ago on 2026-06-29
Created 10 days ago on 2026-06-29

About

Identifies a Microsoft Entra ID identity-compromise chain in which a single user, within a 10-minute window, authenticates to the Device Registration Service through the Microsoft Authentication Broker (MAB) client, registers a device, and then uses the resulting Primary Refresh Token (PRT) to access a resource other than the Device Registration Service. This sequence is the core post-adversary-in-the-middle (AiTM) persistence pattern used by phishing kits such as Tycoon2FA and Kali365: after capturing a victim session, the kit registers an Azure AD-joined device to obtain a device-bound PRT, which survives user-level session revocation and password resets and grants trusted, MFA-free access. Correlating the broker sign-in, the device-registration audit event, and the follow-on PRT sign-in for the same user within a short window is a high-fidelity indicator of active account takeover.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-In LogsData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: PersistenceTactic: Credential AccessLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

False Positive Examples
Legitimate device onboarding (for example a user enrolling a new corporate device through Azure AD join) can produce a broker authentication to the Device Registration Service followed by PRT issuance. Validate that the device, source IP/ASN, and user agent are expected, and that the device is managed/compliant. Authorized red team or penetration testing engagements that register devices and exercise PRTs will match this sequence. Document the engagement and add scoped exceptions for the involved principals or source addresses.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.signinlogs-*logs-azure.auditlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
sequence with maxspan=3m [authentication where data_stream.dataset == "azure.signinlogs" and azure.signinlogs.category == "NonInteractiveUserSignInLogs" and azure.signinlogs.properties.app_id == "29d9ed98-a469-4536-ade2-f981bc1d605e" and azure.signinlogs.properties.resource_display_name == "Device Registration Service" and azure.signinlogs.properties.incoming_token_type == "refreshToken" and azure.signinlogs.properties.token_protection_status_details.sign_in_session_status == "unbound" and azure.signinlogs.properties.user_type == "Member" and azure.signinlogs.result_signature == "SUCCESS" ] by azure.signinlogs.properties.user_id [any where data_stream.dataset == "azure.auditlogs" and azure.auditlogs.operation_name == "Register device" and azure.auditlogs.properties.initiated_by.user.id != null and azure.auditlogs.properties.target_resources.`0`.display_name like "DESKTOP-*" and event.outcome == "success" ] by azure.auditlogs.properties.initiated_by.user.id [authentication where data_stream.dataset == "azure.signinlogs" and azure.signinlogs.properties.incoming_token_type == "primaryRefreshToken" and azure.signinlogs.properties.original_transfer_method == "deviceCodeFlow" and azure.signinlogs.properties.is_interactive == true and azure.signinlogs.properties.resource_display_name != "Device Registration Service" and azure.signinlogs.properties.device_detail.is_managed != true and azure.signinlogs.result_signature == "SUCCESS" ] by azure.signinlogs.properties.user_id

Install detection rules in Elastic Security

Detect Entra ID AiTM Phishing-Kit Chain Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).