Microsoft 365

Attackers are actively exploiting the OAuth device code flow in Microsoft 365 to bypass multi-factor authentication (MFA) and gain initial access, leveraging phishing kits like Kali365 and tradecraft similar to Storm-2372 to harvest MFA-satisfied tokens from non-compliant or attacker-controlled devices, and subsequently establishing persistence through device registration.

This rule detects when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters, which adversaries may use to evade detection and hide malicious forwarding or deletion rules.

The Tycoon2FA phishing kit now supports device-code phishing attacks targeting Microsoft 365 accounts, abusing Trustifi click-tracking URLs, redirecting victims through Cloudflare Workers to a fake Microsoft CAPTCHA page, tricking them into entering a device code, and granting attackers OAuth tokens and access to their Microsoft 365 accounts.

Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short time frame, potentially indicating account compromise or unauthorized access.

Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short timeframe, potentially indicating account compromise or unauthorized access.