M365 Identity Device Code Grant with Unusual User and ASN

Last updated 19 days ago on 2026-06-01

Created 19 days ago on 2026-06-01

About

Identifies a Microsoft 365 OAuth device code grant ("Cmsi:Cmsi") with application Microsoft Authentication Broker ("29d9ed98-a469-4536-ade2-f981bc1d605e") for Microsoft Graph from a source ASN not previously observed for that user in a historical window. Phishing kits leveraging device code phishing complete the full login (password and MFA) at the genuine Microsoft endpoint and harvest the resulting token by polling, so MFA does not stop them and the authorization commonly originates from attacker-controlled residential proxy or hosting infrastructure rather than the user's normal network.

Tags

Domain: CloudDomain: SaaSDomain: IdentityData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

↳ Phishing (T1566)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Use Alternate Authentication Material (T1550)(external, opens in a new tab or window)

False Positive Examples

A user authenticating via the device code flow for the first time from a new but legitimate network, such as travel, a new home or office ISP, a corporate VPN, or a mobile carrier. Device code authentication is expected when enrolling or signing in on input-constrained devices (smart TVs, kiosks, IoT, conference room devices) and for some CLI or headless developer workflows. Review the source ASN, geolocation, and the user's prior device code history to confirm whether the origin is plausible before escalating.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-o365.audit-*
Related Integrations: o365(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: "o365.audit"
    and o365.audit.ExtendedProperties.RequestType: "Cmsi:Cmsi"
    and o365.audit.Actor.Type: (0 or 2 or 3 or 5 or 10)
    and o365.audit.ApplicationId: "29d9ed98-a469-4536-ade2-f981bc1d605e"
    and o365.audit.Target.ID: "00000003-0000-0000-c000-000000000000"
    and o365.audit.DeviceProperties.Value: "False"

Install detection rules in Elastic Security

Detect M365 Identity Device Code Grant with Unusual User and ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).