Attack Chokepoints 2 invariant stages
Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.
1 Device Code Redemption via MAB App ▶
- Attacker can deliver a lure to the victim (email, Teams message, embedded link) that presents a device code as a legitimate verification prompt
- Target must have a Microsoft 365 / Entra ID account
- Tenant must not have a Conditional Access policy blocking device code flows (CA policy "Block device code flow" returns error 53003)
- Attacker must be able to poll oauth2/token until victim redeems the code
- Entra ID Sign-in Logs (SigninLogs table in Sentinel)
- Entra ID Interactive User Sign-In Logs
2 Token Inheritance via FOCI ▶
- Entra ID NonInteractiveUserSignInLogs
- Microsoft Graph Activity Logs
Variations 1 variant tracked
Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.
Tycoon 2FA - Device Code Grant Variant 2024-Q1 Active ▶
# Step 1: Request device code using MAB app
POST https://login.microsoftonline.com/common/oauth2/v2.0/devicecode
client_id=29d9ed98-a469-4536-ade2-f981bc1d605e
scope=https://graph.microsoft.com/.default
# Returns: device_code (shown to victim as "verification code"), user_code
# Step 2: Poll until victim redeems code at microsoft.com/devicelogin
POST https://login.microsoftonline.com/common/oauth2/token
grant_type=urn:ietf:params:oauth:grant-type:device_code
device_code=<device_code>
client_id=29d9ed98-a469-4536-ade2-f981bc1d605e
# Polls until resultType "0" - victim has entered code
# Step 3: FOCI token exchange to access M365 resources
POST https://login.microsoftonline.com/common/oauth2/token
grant_type=refresh_token
refresh_token=<mab_refresh_token>
resource=https://outlook.office365.com # Exchange
client_id=29d9ed98-a469-4536-ade2-f981bc1d605e
- Entra ID SigninLogs: authenticationProtocol "deviceCode" appId "29d9ed98-..." resultType "0" isInteractive "true"
- Entra ID NonInteractiveUserSignInLogs: FOCI token exchanges to Exchange/Graph/SharePoint from cloud-VPS ASN
- Graph Activity Logs: incomingTokenType progression none → refreshToken → primaryRefreshToken
Detection Strategy
Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.
Device-code flow on the Microsoft Authentication Broker app ID - rarely used ...
Hunt
▶
authenticationProtocol == "deviceCode" AND appId == "29d9ed98-a469-4536-ade2-f981bc1d605e" AND resultType == "0". Alert on any occurrence - MAB app ID + device code interactive sign-in is low-volume and should be reviewed.
title: Entra ID Device Code Flow on Microsoft Authentication Broker App (OAuth Device Code Phishing)
id: c9d0e1f2-a3b4-4c5d-6e7f-8a9b0c1d2e3f
status: experimental
description: >
Detects successful OAuth device-code-flow sign-ins using the Microsoft Authentication
Broker app ID (29d9ed98-a469-4536-ade2-f981bc1d605e). Tycoon 2FA's device-code-grant
variant hardcodes this client ID to obtain FOCI refresh tokens granting access to
Exchange, Graph, SharePoint, and Teams without a phishing page. End users in managed
environments rarely initiate device-code flows to the Auth Broker interactively;
any occurrence should be reviewed. CA policy blocking device code flows (error 53003)
is the most effective prevention -- this rule covers tenants without that policy.
references:
- https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering
author: '@iimp0ster'
date: 2026-05-27
tags:
- attack.defense-evasion
- attack.t1550.001
- detection.maturity.hunt
logsource:
product: azure
service: signinlogs
detection:
selection:
AuthenticationProtocol: 'deviceCode'
AppId: '29d9ed98-a469-4536-ade2-f981bc1d605e'
ResultType: '0'
filter_known_automation:
# PENDING: Add known-good service account UPNs or device enrollment flows if documented
# UserPrincipalName|contains:
# - 'svc-intune@tenant.onmicrosoft.com'
UserPrincipalName: '' # placeholder — remove and populate before production
condition: selection and not filter_known_automation
falsepositives:
- Legitimate Microsoft Authentication Broker device-code flows in managed device enrollment
- Shared device scenarios (kiosk, Surface Hub) using MAB for token refresh
level: high
MAB device-code flow + isInteractive flag confirms victim redemption. High-co...
Analyst
▶
authenticationProtocol == "deviceCode" AND appId == "29d9ed98-a469-4536-ade2-f981bc1d605e" AND resultType == "0" AND isInteractive == true. Exclude known-legitimate automation (document per tenant).
title: Entra ID Interactive Device Code Redemption via Microsoft Authentication Broker (High-Confidence Phishing)
id: d0e1f2a3-b4c5-4d6e-7f8a-9b0c1d2e3f4a
status: experimental
description: >
Detects successful interactive OAuth device-code-flow sign-ins using the Microsoft
Authentication Broker app ID (29d9ed98-a469-4536-ade2-f981bc1d605e) with isInteractive
true — confirming victim-entered redemption at microsoft.com/devicelogin. The
isInteractive flag distinguishes victim redemption (attacker delivers code as lure)
from legitimate service flows. This three-field combination (deviceCode + MAB appId +
isInteractive) is high-confidence phishing in managed tenants. Remediation: enumerate
registered devices on victim UPN, delete any unrecognized devices BEFORE revoking
sessions (to prevent PRT persistence), then revoke sessions and reset credentials.
references:
- https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering
author: '@iimp0ster'
date: 2026-05-27
tags:
- attack.defense-evasion
- attack.t1550.001
- detection.maturity.analyst
logsource:
product: azure
service: signinlogs
detection:
selection:
AuthenticationProtocol: 'deviceCode'
AppId: '29d9ed98-a469-4536-ade2-f981bc1d605e'
ResultType: '0'
IsInteractive: 'true'
filter_known_legitimate:
# PENDING: Document any tenant-specific legitimate MAB interactive device-code flows
# UserPrincipalName|contains:
# - 'svc-kiosk@tenant.onmicrosoft.com'
UserPrincipalName: '' # placeholder — remove and populate before production
condition: selection and not filter_known_legitimate
falsepositives:
- Interactive MAB device-code flows from documented shared-device or kiosk enrollment
- Internal IT workflows requiring manual device-code entry with Auth Broker (rare)
level: high