{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/exchange-online/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Tycoon2FA"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID","Exchange Online","Microsoft Graph","SharePoint"],"_cs_severities":["high"],"_cs_tags":["cloud","identity","azure","entra_id","phishing"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a specific pattern associated with adversary-in-the-middle (AiTM) phishing campaigns targeting Microsoft Entra ID. It focuses on successful sign-ins utilizing the OAuth device code authentication protocol in conjunction with the Microsoft Authentication Broker client. A key characteristic is the request for first-party Office API resources, specifically Exchange Online, Microsoft Graph, or SharePoint. The activity is flagged as interactive. This tactic is linked to AiTM phishing kits like Tycoon 2FA, where unsuspecting victims are tricked into completing device code flows, ultimately granting attackers access tokens for mail and collaboration APIs. This allows unauthorized access to sensitive data and resources within the organization\u0026rsquo;s cloud environment. The blog post from Microsoft on February 13, 2025, highlights the Storm-2372 campaign which utilizes this technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email or message to the victim containing a link or QR code.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the link or scans the QR code, which redirects them to a fake Microsoft login page controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe fake login page prompts the victim to enter a device code.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a legitimate OAuth device code flow using the Microsoft Authentication Broker client.\u003c/li\u003e\n\u003cli\u003eThe victim enters the device code on the attacker-controlled page, unknowingly authorizing the attacker\u0026rsquo;s application.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s application requests access to first-party Office API resources, such as Exchange Online (resource ID 00000002-0000-0ff1-ce00-000000000000), Microsoft Graph (00000003-0000-0ff1-ce00-000000000000), or SharePoint (00000005-0000-0ff1-ce00-000000000000).\u003c/li\u003e\n\u003cli\u003eThe Microsoft Authentication Broker authenticates the request as interactive.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the victim\u0026rsquo;s mail and collaboration APIs via the obtained access tokens, enabling data exfiltration and other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to unauthorized access to the victim\u0026rsquo;s Microsoft Entra ID account and associated resources, including email, files, and other sensitive data. This can result in data theft, financial loss, and reputational damage to the organization. The Tycoon 2FA kit, as referenced, facilitates this type of attack, bypassing traditional multi-factor authentication methods. The scale of impact depends on the scope of access granted to the compromised account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Entra ID OAuth Device Code Phishing via AiTM\u0026rdquo; to your SIEM to detect suspicious device code authentication flows.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on \u003ccode\u003eazure.signinlogs.properties.user_principal_name\u003c/code\u003e, \u003ccode\u003eazure.signinlogs.properties.session_id\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003eazure.signinlogs.properties.resource_display_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement conditional access policies to restrict device code flows to trusted networks and devices, mitigating the risk of AiTM attacks (reference: Microsoft documentation on conditional access).\u003c/li\u003e\n\u003cli\u003eRevoke refresh tokens for any compromised users and reset their credentials per policy, as mentioned in the investigation steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T10:04:48Z","date_published":"2026-05-18T10:04:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-entra-device-code-phishing/","summary":"Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.","title":"Entra ID OAuth Device Code Phishing via AiTM","url":"https://feed.craftedsignal.io/briefs/2026-05-entra-device-code-phishing/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Microsoft Graph","Exchange Online"],"_cs_severities":["high"],"_cs_tags":["cloud","identity","saas","microsoft365","aitm","tycoon2fa","phishing"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying adversary-in-the-middle (AiTM) phishing activity targeting Microsoft 365 environments, specifically related to the Tycoon 2FA phishing-as-a-service platform. The attack leverages AiTM techniques to bypass multi-factor authentication (MFA) by relaying authentication requests and capturing session cookies. The detection is based on the observation of specific Microsoft 365 audit events, namely \u0026ldquo;UserLoggedIn\u0026rdquo;, combined with anomalous user agent strings indicative of Node.js-based tooling (node, axios, undici). The activity involves the Microsoft Authentication Broker requesting access to Microsoft Graph or Exchange Online, or the Office web client authenticating to itself, which are patterns associated with Tycoon 2FA. Defenders should baseline legitimate automation and developer tooling environments to avoid false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates a phishing campaign targeting Microsoft 365 users to steal credentials and bypass MFA.\u003c/li\u003e\n\u003cli\u003eThe victim receives a phishing email or message containing a link to a malicious proxy site that spoofs a legitimate Microsoft 365 login page.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the link and enters their credentials into the fake login page.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s proxy site relays the credentials to the real Microsoft 365 login page.\u003c/li\u003e\n\u003cli\u003eThe real Microsoft 365 login page sends an MFA request to the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s proxy site relays the MFA request to the victim and captures the MFA code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s proxy site relays the MFA code to the real Microsoft 365 login page, completing the authentication process.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the session cookie, allowing them to access the victim\u0026rsquo;s Microsoft 365 account without needing the credentials or MFA code again.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to Microsoft 365 accounts, potentially leading to data exfiltration, financial fraud, or further lateral movement within the organization. The use of Tycoon 2FA underscores the increasing sophistication of phishing attacks, making it more difficult for users to detect and avoid. Without proper detection and response mechanisms, organizations are vulnerable to significant compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)\u0026rdquo; to your SIEM and tune for your environment to detect suspicious login patterns.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eo365.audit.UserId\u003c/code\u003e, \u003ccode\u003euser_agent.original\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e or \u003ccode\u003eo365.audit.ActorIpAddress\u003c/code\u003e, and related Entra ID sign-in logs (\u003ccode\u003eazure.signinlogs\u003c/code\u003e) for the same session or time window as described in the rule\u0026rsquo;s \u0026ldquo;Triage and Analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eRevoke refresh tokens for compromised users, reset credentials per policy, and review conditional access outcomes if malicious activity is confirmed, as outlined in the rule\u0026rsquo;s \u0026ldquo;Response and Remediation\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eBlock or monitor the source IPs identified in the logs and escalate per incident procedures, as suggested in the rule\u0026rsquo;s \u0026ldquo;Response and Remediation\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T09:26:46Z","date_published":"2026-05-18T09:26:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tycoon-aitm-o365/","summary":"This rule detects Microsoft 365 audit events indicative of Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity, identifying UserLoggedIn events where the Microsoft Authentication Broker requests access to Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents, bypassing MFA by relaying authentication and capturing session material.","title":"Microsoft 365 AiTM UserLoggedIn via Office App (Tycoon2FA)","url":"https://feed.craftedsignal.io/briefs/2026-05-tycoon-aitm-o365/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID","Microsoft 365","Microsoft Graph","Exchange Online"],"_cs_severities":["medium"],"_cs_tags":["tycoon2fa","aitm","entra_id","phishing","credential_access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule detects Microsoft Entra ID sign-ins indicative of Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) attacks. Tycoon2FA is designed to bypass multi-factor authentication (MFA) by relaying authentication requests and capturing session cookies, primarily targeting Microsoft 365 and Gmail accounts. The activity is characterized by the Microsoft Authentication Broker (app ID \u003ccode\u003e29d9ed98-a469-4536-ade2-f981bc1d605e\u003c/code\u003e) requesting tokens for Microsoft Graph (\u003ccode\u003e00000003-0000-0000-c000-000000000000\u003c/code\u003e) or Exchange Online (\u003ccode\u003e00000002-0000-0ff1-ce00-000000000000\u003c/code\u003e), or the Office web client application (app ID \u003ccode\u003e4765445b-32c6-49b0-83e6-1d93765276ca\u003c/code\u003e) authenticating to itself, in conjunction with Node.js-style user agents (node, axios, undici). Defenders should baseline legitimate automation and developer tooling using these patterns to minimize false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim receives a phishing email or message designed to mimic a legitimate Microsoft 365 login page.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and is redirected to a Tycoon2FA-controlled server acting as a proxy.\u003c/li\u003e\n\u003cli\u003eThe victim enters their credentials, which are captured by the Tycoon2FA proxy.\u003c/li\u003e\n\u003cli\u003eThe Tycoon2FA proxy initiates a legitimate sign-in attempt to Microsoft Entra ID using the stolen credentials and relays the MFA request to the victim.\u003c/li\u003e\n\u003cli\u003eThe victim completes MFA, and the Tycoon2FA proxy captures the session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to bypass MFA and gain access to the victim\u0026rsquo;s Microsoft 365 account, impersonating the user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this access to perform actions such as reading emails, accessing files, or initiating further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to account compromise and unauthorized access to sensitive data within Microsoft 365 and Gmail environments. This can result in data breaches, financial loss, and reputational damage. Tycoon2FA is a phishing-as-a-service (PhaaS) platform, enabling even less sophisticated attackers to successfully bypass MFA, potentially affecting a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential AiTM attacks targeting Microsoft Entra ID.\u003c/li\u003e\n\u003cli\u003eMonitor Microsoft Entra ID sign-in logs for the specific application IDs (\u003ccode\u003e29d9ed98-a469-4536-ade2-f981bc1d605e\u003c/code\u003e, \u003ccode\u003e4765445b-32c6-49b0-83e6-1d93765276ca\u003c/code\u003e) and resource IDs (\u003ccode\u003e00000002-0000-0ff1-ce00-000000000000\u003c/code\u003e, \u003ccode\u003e00000003-0000-0000-c000-000000000000\u003c/code\u003e) associated with Tycoon2FA, as described in the overview.\u003c/li\u003e\n\u003cli\u003eInvestigate sign-ins originating from unusual user agents, especially those containing \u0026ldquo;node\u0026rdquo;, \u0026ldquo;axios\u0026rdquo;, or \u0026ldquo;undici\u0026rdquo; when used in conjunction with the Microsoft Authentication Broker or Office web client application.\u003c/li\u003e\n\u003cli\u003eReview conditional access policies and MFA configurations to ensure they are effectively preventing AiTM attacks.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing techniques and the importance of verifying login pages and MFA requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T09:26:29Z","date_published":"2026-05-18T09:26:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tycoon2fa-entra-id/","summary":"Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).","title":"Tycoon2FA AiTM Phishing via Microsoft Entra ID Sign-Ins","url":"https://feed.craftedsignal.io/briefs/2026-05-tycoon2fa-entra-id/"}],"language":"en","title":"CraftedSignal Threat Feed — Exchange Online","version":"https://jsonfeed.org/version/1.1"}