Elastic Security Detection Rules

Entra ID OAuth Device Code Phishing via AiTM

Last updated 5 days ago on 2026-05-15
Created 5 days ago on 2026-05-15

About

Detects successful Microsoft Entra ID sign-ins that use the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources (Exchange Online, Microsoft Graph, or SharePoint) while flagged as interactive. This pattern is associated with adversary-in-the-middle (AiTM) phishing kits such as Tycoon 2FA, where victims complete device code flows that ultimately broker tokens for mail and collaboration APIs.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsUse Case: Threat DetectionThreat: Tycoon2FATactic: Initial AccessLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Phishing (T1566)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

False Positive Examples
Rare legitimate interactive device code flows that use the Microsoft Authentication Broker against Exchange, Graph, or Yammer may match, for example during troubleshooting or specialized kiosk setups. Document approved scenarios and exclude known principals or networks.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.signinlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:"azure.signinlogs" and event.category:"authentication" and event.action:"Sign-in activity" and
event.outcome:success and azure.signinlogs.properties.app_id:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
azure.signinlogs.properties.authentication_protocol:deviceCode and
azure.signinlogs.properties.resource_id:(
    "00000002-0000-0ff1-ce00-000000000000" or
    "00000003-0000-0ff1-ce00-000000000000" or
    "00000005-0000-0ff1-ce00-000000000000"
) and azure.signinlogs.properties.is_interactive:true

Install detection rules in Elastic Security

Detect Entra ID OAuth Device Code Phishing via AiTM in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).