Loading

M365 Identity Device Code Grant by an Unusual User (Non-Compliant Device)

Identifies a Microsoft 365 user completing an OAuth device code grant ("Cmsi:Cmsi") from a non-compliant device for the first time within the rule's historical window, regardless of the requesting application or target resource. Device code phishing kits complete the full login (password and MFA) at the genuine Microsoft endpoint and harvest the resulting token by polling, so MFA does not stop them. Because the victim authorizes the flow in their own browser, the grant is frequently completed on a personal or attacker-controlled device that is not enrolled or compliant with the organization's device policies. A user appearing with this device code flow on a non-compliant device for the first time in the lookback window is a strong early indicator of device code phishing, and removing the application and target constraints catches grants against any first-party application, not just the Microsoft Authentication Broker.

Rule type: new_terms
Rule indices:

  • logs-o365.audit-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Domain: Identity
  • Data Source: Microsoft 365
  • Data Source: Microsoft 365 Audit Logs
  • Use Case: Identity and Access Audit
  • Use Case: Threat Detection
  • Resources: Investigation Guide
  • Tactic: Initial Access

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule requires the Microsoft 365 integration with unified audit logs (Azure AD / Entra sign-in events surfaced in the Microsoft 365 audit log) enabled and shipping to Elastic.

This rule detects a user completing an OAuth device code grant (Cmsi:Cmsi) from a device reported as non-compliant in the Microsoft 365 unified audit log for the first time within the rule's historical window (defined by the new terms history setting), independent of the requesting application or target resource. A match means the user has not been seen in this flow during the lookback window, not necessarily that it has never happened. Device code phishing kits (for example Kali365, Storm-2372 tradecraft) drive the device code flow against the genuine Microsoft endpoint and poll the token endpoint in the background, so the victim satisfies MFA while the attacker harvests a fully MFA-satisfied token, typically completed from a personal or attacker-controlled device that is not enrolled or compliant.

  • Review o365.audit.UserId to identify the impacted account and confirm whether the user expected to perform a device code sign-in.
  • Examine o365.audit.DeviceProperties to understand the device posture (compliance, management state, OS, browser) and whether the device is recognized for this user.
  • Confirm o365.audit.ApplicationId and o365.audit.Target.ID to identify the application and resource the grant was for. Authentication Broker (29d9ed98-a469-4536-ade2-f981bc1d605e) and developer tooling (Azure CLI, PowerShell) are commonly abused.
  • Inspect source.as.number, source.as.organization.name, source.ip, and source.geo.* and compare with the user's normal sign-in origins. Hosting, VPN, or datacenter providers are unusual for interactive user authentication.
  • Examine user_agent.original for automation or headless-browser patterns.
  • Pivot to azure.signinlogs for the corresponding deviceCode sign-in, conditional access decisions, and any concurrent non-interactive token-issuance legs from a different ASN (the kit's polling backend).
  • Pivot to azure.graphactivitylogs for follow-up Graph activity (/me recon, mailbox or file enumeration).
  • Check azure.auditlogs for subsequent device registration events on the user, which device code phishing kits use to establish Primary Refresh Token persistence.
  • A legitimate first-time device code sign-in on a personal or non-compliant device.
  • Provisioning of input-constrained devices (smart TVs, kiosks, IoT, conference room devices).
  • CLI or headless developer workflows using the device code flow on an unmanaged device.
  • If a user or device combination is confirmed benign and recurring, suppress it via a rule exception rather than broadening the query.
  • Contact the user to confirm whether they initiated the device code sign-in or may have entered a code presented on a phishing page.
  • If unauthorized, revoke all refresh tokens for the user and reset credentials to invalidate the harvested token.
  • Review and remove any unauthorized device registrations to cut off Primary Refresh Token persistence.
  • Review recent Microsoft Graph, Exchange, SharePoint, and Teams activity for the user for signs of recon or exfiltration.
  • Restrict device code authentication to only the users and applications that require it, and require compliant or hybrid-joined devices, via Conditional Access policies.
  • Educate users on device code phishing and the risk of entering codes presented by unsolicited documents or messages.
event.dataset: "o365.audit"
    and o365.audit.ExtendedProperties.RequestType: "Cmsi:Cmsi"
    and o365.audit.Actor.Type: (0 or 2 or 3 or 5 or 10)
    and o365.audit.DeviceProperties.Value: "False"

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK