Attack Chokepoints 1 invariant stage
Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.
1 Multi-Category Graph API Burst ▶
- Kit has successfully obtained session tokens (Tier 1 relay) or device-code-grant tokens
- Graph Activity Logs must be enabled and ingested (not enabled by default in all tenants)
- Operator automation must have access tokens with broad pre-consented scopes (RoleManagement.ReadWrite.Directory, MailboxSettings.ReadWrite, etc.)
- Microsoft Graph Activity Logs (MicrosoftGraphActivityLogs Sentinel table)
- Entra ID Sign-in Logs (for ASN correlation with Tier 2 residential proxy)
Variations 1 variant tracked
Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.
Tycoon 2FA Operator Console - 5-Category Recon Automation 2023-Q3 Active ▶
# Role Discovery
GET https://graph.microsoft.com/beta/me/transitiveRoleAssignments?$select=roleDefinitionId
GET https://graph.microsoft.com/v1.0/me/memberOf/microsoft.graph.directoryRole
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter=principalId eq '<id>'
# Cross-Tenant Recon
POST https://graph.microsoft.com/beta/tenantRelationships/getResourceTenants
# Mailbox Recon
GET https://graph.microsoft.com/v1.0/me/mailboxSettings
# Contact Harvesting
GET https://graph.microsoft.com/v1.0/me/contactFolders/contacts?$top=1000
# Org & Licensing
GET https://graph.microsoft.com/v1.0/subscribedSkus
GET https://graph.microsoft.com/v1.0/organization
GET https://graph.microsoft.com/beta/me/appRoleAssignedResources?$top=999&$count=true
- Graph Activity Logs: 4+ endpoint categories from single UPN within 60s
- Graph Activity Logs: $top=999 / $count=true structured query parameters
- Graph Activity Logs: empty c_DeviceId on all requests
- Graph Activity Logs: /beta/ API disproportionate to /v1.0/
- Entra ID Sign-in Logs: residential ASN sign-in 10-20 min after cloud-VPS sign-in same UPN
Detection Strategy
Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.
OSINT Pivots
N/A - Graph API recon bursts are internal Microsoft log signals