Microsoft 365

Attackers are actively exploiting the OAuth device code flow in Microsoft 365 to bypass multi-factor authentication (MFA) and gain initial access, leveraging phishing kits like Kali365 and tradecraft similar to Storm-2372 to harvest MFA-satisfied tokens from non-compliant or attacker-controlled devices, and subsequently establishing persistence through device registration.

This rule detects the creation of new inbox forwarding rules in Microsoft 365, which can be abused by attackers to intercept and exfiltrate email data to external addresses.

This rule detects when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters, which adversaries may use to evade detection and hide malicious forwarding or deletion rules.

This brief detects the use of the Kali365 user agent, a phishing-as-a-service platform, within Entra ID or Microsoft 365 logs, indicating potential account compromise through stolen tokens.

This rule correlates Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address, indicating potential initial access via compromised credentials.

This rule correlates Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address, indicating potential initial access by adversaries triggering network security alerts before accessing cloud resources.

Storm-2949 compromised cloud identities through social engineering and abused the Self-Service Password Reset (SSPR) process to bypass MFA and gain persistent access, enabling lateral movement and data exfiltration from Microsoft 365 and Azure environments.

This rule detects Microsoft 365 audit events indicative of Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity, identifying UserLoggedIn events where the Microsoft Authentication Broker requests access to Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents, bypassing MFA by relaying authentication and capturing session material.

Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).

The Tycoon2FA phishing kit now supports device-code phishing attacks targeting Microsoft 365 accounts, abusing Trustifi click-tracking URLs, redirecting victims through Cloudflare Workers to a fake Microsoft CAPTCHA page, tricking them into entering a device code, and granting attackers OAuth tokens and access to their Microsoft 365 accounts.

UNC6671, operating under the "BlackFile" brand, conducts a sophisticated extortion campaign targeting organizations through voice phishing (vishing) and single sign-on (SSO) compromise, using adversary-in-the-middle (AiTM) techniques to bypass MFA and exfiltrate sensitive corporate data.

The EvilTokens phishing-as-a-service (PhaaS) platform sold on Telegram is capable of launching device code phishing attacks at scale, leveraging AI to generate convincing and personalized lures, enabling aspiring cybercriminals to bypass traditional security measures, including MFA.

Threat actors are increasingly using device code phishing, often via Phishing-as-a-Service platforms, to compromise user accounts by abusing the OAuth 2.0 device authorization grant flow and capturing authentication tokens, enabling account takeover, data theft, and business email compromise.

The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.

Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short time frame, potentially indicating account compromise or unauthorized access.

Detects successful Microsoft 365 portal logins from a country and region the user has not previously authenticated from in a specific time window, potentially indicating unauthorized access attempts by analyzing login events and user location patterns.

Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short timeframe, potentially indicating account compromise or unauthorized access.

This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.

This brief outlines a threat where Microsoft Defender for Office 365 identifies an email as malicious or suspicious but still delivers it to a user's inbox or junk folder, potentially bypassing initial security measures.

The Microsoft 365 'risk-based step-up consent' security setting is disabled by an adversary to allow users to grant consent to malicious applications, potentially leading to unauthorized access and data breaches.