M365 Identity OAuth Flow by User Sign-in to Device Registration

Last updated 23 days ago on 2025-12-10

Created 8 months ago on 2025-04-30

About

Identifies attempts to register a new device in Microsoft Entra ID after OAuth authentication with authorization code grant. Adversaries may use OAuth phishing techniques to obtain an OAuth authorization code, which can then be exchanged for access and refresh tokens. This rule detects a sequence of events where a user principal authenticates via OAuth, followed by a device registration event, indicating potential misuse of the OAuth flow to establish persistence or access resources.

Tags

Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditTactic: Credential AccessLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Steal Application Access Token (T1528)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Phishing (T1566)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-o365.audit-*
Related Integrations: o365(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗sequence by related.user with maxspan=30m
[authentication where event.action == "UserLoggedIn" and
 o365.audit.ExtendedProperties.RequestType == "OAuth2:Authorize" and o365.audit.ExtendedProperties.ResultStatusDetail == "Redirect" and
 o365.audit.UserType: ("0", "2", "3", "10")] // victim source.ip
[authentication where event.action == "UserLoggedIn" and
 o365.audit.ExtendedProperties.RequestType == "OAuth2:Token" and o365.audit.ExtendedProperties.ResultStatusDetail == "Success"] // attacker source.ip to convert oauth code to token
[web where event.dataset == "o365.audit" and event.action == "Add registered users to device."] // user.name is captured in related.user

Install detection rules in Elastic Security

Detect M365 Identity OAuth Flow by User Sign-in to Device Registration in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).