Post-AiTM Graph API Reconnaissance Burst

4+ distinct Graph API endpoint categories (role/cross-tenant/mailbox/contact/org) from single UPN within 60 seconds, empty c_DeviceId, from residential ASN 10-20 minutes after AiTM relay session theft

Discovery T1087.004 T1069.003 T1526 Detection difficulty: MEDIUM Prevalence: MEDIUM

Within 10-20 minutes of successful AiTM session token theft, Tycoon 2FA's operator console tier executes an automated burst of 20-30+ Microsoft Graph API calls across five distinct reconnaissance categories (role discovery, cross-tenant recon, mailbox recon, contact harvesting, org and licensing) within 30-60 seconds. Normal Microsoft 365 portal navigation by a human user touches 1-2 endpoint categories in a session; 4+ distinct categories within 60 seconds is mechanically impossible at human speed and indicates automated tooling. The operator automation uses first-party apps with pre-consented broad scopes, an empty c_DeviceId (unmanaged device), and disproportionate /beta/ API usage. A common analyst mistake is filtering on c_sid (Graph Activity Log client session ID) as if it were the user object ID - c_sid is a session/security-context identifier and does NOT equal the user object ID; filtering c_sid == user_object_id returns empty results.

Attack Chokepoints 1 invariant stage

Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1 Multi-Category Graph API Burst
  • Kit has successfully obtained session tokens (Tier 1 relay) or device-code-grant tokens
  • Graph Activity Logs must be enabled and ingested (not enabled by default in all tenants)
  • Operator automation must have access tokens with broad pre-consented scopes (RoleManagement.ReadWrite.Directory, MailboxSettings.ReadWrite, etc.)
Input Operator console tier has received stolen session tokens from kit relay; begins automated reconnaissance within 10-20 minutes of Tier 1 completion
Chokepoint The attacker MUST enumerate multiple distinct Graph API endpoint categories to triage the compromised identity's value (roles, cross-tenant trust, mailbox configuration, contacts, licensing). The automation cannot perform all reconnaissance from a single endpoint - each category requires distinct API calls. Covering 4+ categories within 60 seconds is not achievable by human portal navigation (normal = 1-2 categories per session).
Observable Microsoft Graph Activity Logs (MicrosoftGraphActivityLogs in Sentinel): Single UPN makes requests to endpoints spanning 4+ of these categories within a 60-second window: - Role Discovery: transitiveRoleAssignments, memberOf/directoryRole, roleManagement/directory/roleAssignments - Cross-Tenant: tenantRelationships/getResourceTenants (POST) - Mailbox Recon: me/mailboxSettings - Contact Harvest: me/contactFolders/contacts ($top=1000) - Org & Licensing: subscribedSkus, organization, appRoleAssignedResources Additional signals: empty c_DeviceId, $top=999/$count=true parameters, /beta/ API usage, mixed GET/POST methods, mixed 200/400/403 response codes.
Why unavoidable
The operator automation requires breadth to triage the compromised identity's value - checking roles, cross-tenant trusts, mailbox forwarding rules, contact lists, and licensing in one pass. These data are spread across 5 distinct Graph API endpoint categories. Slowing the requests to human-navigation speed (>60s between categories) would add 10+ minutes to the recon phase, increasing detection window and reducing the automation's value. The category diversity is the invariant - the attacker cannot collapse it into a single endpoint.
  • Microsoft Graph Activity Logs (MicrosoftGraphActivityLogs Sentinel table)
  • Entra ID Sign-in Logs (for ASN correlation with Tier 2 residential proxy)
Bypass risk: Graph Activity Logs may not be enabled in all tenants - check ingestion before relying on this detection. c_sid is NOT the user object ID; pivot on source IP + appId cross-referenced with sign-in logs to identify UPN.
View rule →

Variations 1 variant tracked

Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.

Tycoon 2FA Operator Console - 5-Category Recon Automation 2023-Q3 Active
Operator console tier (Tier 2) executes 20-30+ Graph API calls within 30-60 seconds. Accesses all 5 recon categories. Uses residential-proxy ASN, single fixed browser UA (Firefox on Windows). Appears 10-20 minutes after Tier 1 kit relay success. First-party apps with broad pre-consented scopes: RoleManagement.ReadWrite.Directory, MailboxSettings.ReadWrite, UserAuthenticationMethod.ReadWrite, User.RevokeSessions.All. Empty c_DeviceId (unmanaged, unregistered device from Tier 2 residential proxy). Common mistake: filtering c_sid == user_object_id returns empty results; pivot on source IP + appId against sign-in logs instead.
20-30+ calls within 30-60 seconds. Structured query params ($top=999, $count=true). /beta/ API disproportionate. Mixed 200/400/403 responses (400/403 still indicate recon attempts). Empty c_DeviceId. Residential ASN (Tier 2) appears ~10-20 min after Tier 1 cloud-VPS sign-in.
# Role Discovery
GET https://graph.microsoft.com/beta/me/transitiveRoleAssignments?$select=roleDefinitionId
GET https://graph.microsoft.com/v1.0/me/memberOf/microsoft.graph.directoryRole
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter=principalId eq '<id>'

# Cross-Tenant Recon
POST https://graph.microsoft.com/beta/tenantRelationships/getResourceTenants

# Mailbox Recon
GET https://graph.microsoft.com/v1.0/me/mailboxSettings

# Contact Harvesting
GET https://graph.microsoft.com/v1.0/me/contactFolders/contacts?$top=1000

# Org & Licensing
GET https://graph.microsoft.com/v1.0/subscribedSkus
GET https://graph.microsoft.com/v1.0/organization
GET https://graph.microsoft.com/beta/me/appRoleAssignedResources?$top=999&$count=true
  • Graph Activity Logs: 4+ endpoint categories from single UPN within 60s
  • Graph Activity Logs: $top=999 / $count=true structured query parameters
  • Graph Activity Logs: empty c_DeviceId on all requests
  • Graph Activity Logs: /beta/ API disproportionate to /v1.0/
  • Entra ID Sign-in Logs: residential ASN sign-in 10-20 min after cloud-VPS sign-in same UPN
Same chokepoint: Tier 1 relay steals session → Tier 2 operator console (residential ASN) receives tokens → automated 5-category Graph recon burst (20-30+ calls / 60s) → operator triages identity value for fraud / BEC / lateral movement
Source: www.elastic.co →

Detection Strategy

Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.

1 Multi-Category Graph API Burst

OSINT Pivots

N/A N/A - Graph API recon bursts are internal Microsoft log signals
Graph API recon bursts are not externally observable via OSINT tools (URLScan, Shodan, Hunt.io). Detection relies entirely on Graph Activity Log ingestion within the tenant. Confirm MicrosoftGraphActivityLogs is enabled and flowing to Sentinel before relying on this chokepoint.