T1550.001

Application Access Token

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates).

Microsoft Sentinel / Defender

kusto

let TimeWindow = 24h;
let SuspiciousUserAgents = dynamic([
    "python-requests", "curl/", "wget/", "Go-http-client",
    "okhttp/", "node-fetch", "axios/", "PostmanRuntime", "libcurl",
    "ruby", "aiohttp", "httpx", "java/"
]);
let SensitiveResources = dynamic([
    "Microsoft Graph", "Office 365 Exchange Online", "SharePoint Online",
    "Microsoft Teams", "OneDrive", "Azure Key Vault",
    "Windows Azure Service Management API"
]);
// Detect suspicious non-interactive (token-based) sign-ins bypassing MFA
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(TimeWindow)
| where ResultType == 0
| where AuthenticationRequirement =~ "singleFactorAuthentication"
| where ConditionalAccessStatus in~ ("notApplied", "disabled", "notEnabled")
| extend
    HasSuspiciousAgent = UserAgent has_any (SuspiciousUserAgents),
    AccessedSensitiveResource = ResourceDisplayName has_any (SensitiveResources)
| where HasSuspiciousAgent or AccessedSensitiveResource
| summarize
    TokenUseCount = count(),
    UniqueResources = dcount(ResourceDisplayName),
    UniqueApps = dcount(AppDisplayName),
    UniqueIPs = dcount(IPAddress),
    Resources = make_set(ResourceDisplayName, 10),
    Apps = make_set(AppDisplayName, 5),
    SourceIPs = make_set(IPAddress, 5),
    UserAgents = make_set(UserAgent, 3),
    Countries = make_set(tostring(LocationDetails.countryOrRegion), 5)
  by UserPrincipalName, bin(TimeGenerated, 1h)
| where TokenUseCount > 10 or UniqueResources >= 3 or UniqueIPs >= 2
| extend RiskIndicator = case(
    UniqueIPs >= 3, "Token used from 3+ distinct IPs — likely shared or stolen token",
    UniqueResources >= 5, "Token accessing 5+ resources — automated enumeration pattern",
    TokenUseCount > 50, "High-frequency API access — scripted tool or automation",
    "Suspicious single-factor token-based authentication to sensitive resource"
  )
| project TimeGenerated, UserPrincipalName, TokenUseCount, UniqueResources, UniqueApps,
          UniqueIPs, Resources, Apps, SourceIPs, UserAgents, Countries, RiskIndicator
| sort by TokenUseCount desc

high severity medium confidence

Data Sources

Azure Active Directory: Non-Interactive Sign-in Logs Microsoft Sentinel: AADNonInteractiveUserSignInLogs Microsoft Entra ID: Sign-in Logs

Required Tables

AADNonInteractiveUserSignInLogs

False Positives

Legitimate service accounts and automation scripts that use OAuth tokens for scheduled integrations, ETL pipelines, or Power Automate flows accessing Microsoft Graph
CI/CD pipelines using service principals with delegated user permissions to deploy code, publish packages, or access Azure DevOps resources
Monitoring tools and SIEM connectors (Defender for Cloud Apps, Entra ID Protection, third-party SIEM add-ons) that repeatedly authenticate to Microsoft Graph for log collection at high volume
Third-party SaaS applications with broad OAuth permissions legitimately granted by IT administrators — e.g., backup solutions, email security gateways, eDiscovery tools

Splunk

spl

index=o365 sourcetype="o365:management:activity"
    (Operation="MailItemsAccessed" OR Operation="FileAccessed" OR Operation="FileDownloaded"
     OR Operation="SearchQueryInitiatedExchange" OR Operation="Send" OR Operation="MessageBind"
     OR Operation="ListItems" OR Operation="GetItem")
| eval IsAutomatedAccess=if(
    isnull(ClientInfoString) OR ClientInfoString="" OR
    match(lower(ClientInfoString), "(rest|graph|api|script|automation|curl|python|http|oauth)"),
    1, 0
  )
| where IsAutomatedAccess=1
| stats
    count as AccessCount,
    dc(ClientIP) as UniqueIPs,
    values(Operation) as Operations,
    values(ClientIP) as SourceIPs,
    earliest(_time) as FirstAccess,
    latest(_time) as LastAccess,
    dc(Operation) as OperationTypes,
    values(ClientInfoString) as ClientInfo
  by UserId, AppId
| where AccessCount > 20 OR UniqueIPs >= 2
| eval SessionDurationHours=round((LastAccess - FirstAccess) / 3600, 2)
| eval AccessRatePerHour=round(AccessCount / (SessionDurationHours + 0.001), 1)
| eval RiskScore=case(
    UniqueIPs >= 3, "HIGH",
    AccessRatePerHour > 200, "HIGH",
    UniqueIPs >= 2 AND OperationTypes >= 3, "HIGH",
    AccessCount > 100, "MEDIUM",
    UniqueIPs >= 2, "MEDIUM",
    "LOW"
  )
| where RiskScore != "LOW"
| eval FirstAccess=strftime(FirstAccess, "%Y-%m-%d %H:%M:%S")
| eval LastAccess=strftime(LastAccess, "%Y-%m-%d %H:%M:%S")
| sort - AccessCount
| table FirstAccess, LastAccess, UserId, AppId, AccessCount, UniqueIPs, AccessRatePerHour, OperationTypes, Operations, SourceIPs, ClientInfo, RiskScore

high severity medium confidence

Data Sources

Office 365 Management Activity API Microsoft 365: Exchange Online Audit Microsoft 365: SharePoint Online Audit

Required Sourcetypes

o365:management:activity

False Positives

Legitimate business applications with OAuth integrations performing bulk email or file processing, such as legal document management systems or CRM platforms syncing contacts and calendar data
Backup and archiving solutions accessing Exchange Online or SharePoint via REST API on scheduled intervals, generating high AccessCount values for service account UserId
eDiscovery tools performing authorized content searches across mailboxes, which generate high MessageBind and SearchQueryInitiatedExchange counts under a single AppId
Email security gateways and DLP solutions that scan inbound mail content via Graph API, appearing as high-volume MailItemsAccessed events from the gateway's AppId

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') as FirstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') as LastSeen,
  username as UserId,
  "Application" as AppId,
  COUNT(*) as AccessCount,
  CARDINALITY(ARRAY_AGG(DISTINCT sourceip)) as UniqueIPs,
  ARRAY_AGG(DISTINCT sourceip LIMIT 5) as SourceIPs,
  ARRAY_AGG(DISTINCT QIDNAME(qid) LIMIT 5) as Operations,
  ARRAY_AGG(DISTINCT "User Agent" LIMIT 3) as UserAgents,
  CASE
    WHEN CARDINALITY(ARRAY_AGG(DISTINCT sourceip)) >= 3 THEN 'HIGH — token used from 3+ distinct IPs, likely stolen or shared'
    WHEN COUNT(*) > 200 AND CARDINALITY(ARRAY_AGG(DISTINCT sourceip)) >= 2 THEN 'HIGH — high-frequency scripted access from multiple IPs'
    WHEN CARDINALITY(ARRAY_AGG(DISTINCT sourceip)) >= 2 THEN 'MEDIUM — token used from multiple source IPs'
    ELSE 'LOW'
  END as RiskScore
FROM events
WHERE
  LOGSOURCETYPEID IN (397, 475)  /* 397=Microsoft Office 365, 475=Microsoft Azure Active Directory */
  AND CATEGORYNAME(category) LIKE '%Authentication%'
  AND LOWER(PROTOCOLNAME(protocolid)) != 'interactive'
  AND (
    LOWER("User Agent") MATCHES '.*(python-requests|curl\/|wget\/|go-http-client|okhttp|node-fetch|axios|postmanruntime|libcurl|ruby|aiohttp|httpx|java\/).*'
    OR "Resource Name" IN ('Microsoft Graph', 'Office 365 Exchange Online', 'SharePoint Online', 'Microsoft Teams', 'OneDrive', 'Azure Key Vault', 'Windows Azure Service Management API')
  )
  AND "Authentication Requirement" = 'singleFactorAuthentication'
  AND QIDNAME(qid) NOT LIKE '%Failed%'
  AND QIDNAME(qid) NOT LIKE '%Failure%'
  LAST 24 HOURS
GROUP BY username, "Application"
HAVING AccessCount > 10 OR UniqueIPs >= 2
ORDER BY UniqueIPs DESC, AccessCount DESC

high severity medium confidence

Data Sources

Microsoft Office 365 DSM (QRadar log source type 397) Microsoft Azure Active Directory DSM (QRadar log source type 475)

Required Tables

events (QRadar normalized event store with O365 and Azure AD log sources configured)

False Positives

Automated backup or archival services (Veeam, AvePoint, Druva) that authenticate to Exchange Online and SharePoint using service principal tokens at high frequency during scheduled backup windows
Third-party SaaS integrations (Salesforce, ServiceNow, Workday) configured to sync with Microsoft 365 using OAuth app registrations, generating batched API calls from their cloud infrastructure IPs
Security scanning tools and CASB solutions (Microsoft Defender for Cloud Apps, Netskope) that enumerate Microsoft Graph endpoints using delegated tokens to assess data exposure

Sumo Logic CSE

sql

_sourceCategory=azure/signinlogs/noninteractive OR _sourceCategory=azure/aad/signin
| json "properties.isInteractive" as IsInteractive nodrop
| json "properties.authenticationRequirement" as AuthReq nodrop
| json "properties.conditionalAccessStatus" as CAStatus nodrop
| json "properties.userAgent" as UserAgent nodrop
| json "properties.resourceDisplayName" as Resource nodrop
| json "properties.userPrincipalName" as UserPrincipalName nodrop
| json "properties.ipAddress" as IPAddress nodrop
| json "properties.appDisplayName" as AppName nodrop
| json "properties.status.errorCode" as ErrorCode nodrop
| where (IsInteractive = "false" OR isNull(IsInteractive))
  AND AuthReq = "singleFactorAuthentication"
  AND CAStatus in ("notApplied", "disabled", "notEnabled")
  AND ErrorCode = "0"
| where UserAgent matches /(?i)(python-requests|curl\/|wget\/|go-http-client|okhttp|node-fetch|axios|postmanruntime|libcurl|ruby|aiohttp|httpx|java\/)/
  OR Resource in ("Microsoft Graph", "Office 365 Exchange Online", "SharePoint Online", "Microsoft Teams", "OneDrive", "Azure Key Vault", "Windows Azure Service Management API")
| timeslice 1h
| count as TokenUseCount,
  dcount(IPAddress) as UniqueIPs,
  dcount(Resource) as UniqueResources,
  dcount(AppName) as UniqueApps,
  values(IPAddress) as SourceIPs,
  values(Resource) as ResourcesAccessed,
  values(UserAgent) as UserAgents
  by UserPrincipalName, AppName, _timeslice
| where TokenUseCount > 10 OR UniqueIPs >= 2 OR UniqueResources >= 3
| if(UniqueIPs >= 3, "HIGH", if(UniqueResources >= 5 OR TokenUseCount > 50, "MEDIUM", "LOW")) as RiskScore
| where RiskScore != "LOW"
| fields _timeslice, UserPrincipalName, AppName, TokenUseCount, UniqueIPs, UniqueResources, UniqueApps, SourceIPs, ResourcesAccessed, UserAgents, RiskScore
| sort by TokenUseCount desc

high severity high confidence

Data Sources

Azure Active Directory Non-Interactive Sign-in Logs via Azure Event Hub Microsoft 365 Management Activity API

Required Tables

Azure AD sign-in logs (_sourceCategory=azure/signinlogs/noninteractive or equivalent configured category)

False Positives

Enterprise applications using the OAuth 2.0 client credentials flow (app-only authentication) will appear as non-interactive single-factor sign-ins — distinguish by checking if AppId corresponds to a known registered enterprise app and source IPs match expected datacenter ranges
IT automation and scripting that uses Personal Access Tokens or App Passwords (legacy auth fallback) for scheduled tasks touching Exchange Online or SharePoint, particularly common in organizations that haven't fully migrated to modern auth
Power Automate and Logic Apps cloud connectors that authenticate on behalf of users using stored OAuth refresh tokens, generating non-interactive sign-ins from Microsoft's own IP ranges when workflows execute

Google Chronicle / SecOps

yaral

rule t1550_001_application_access_token_abuse {
  meta:
    author = "df00tech"
    description = "Detects stolen OAuth application access token abuse via non-interactive single-factor authentication to sensitive Microsoft cloud resources from automated HTTP clients"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion, Lateral Movement"
    mitre_attack_technique = "T1550.001"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1550/001/"
    reference = "APT28 OAuth phishing, HAFNIUM token theft, Peirates Kubernetes service account token abuse"
    version = "1.0"

  events:
    $auth.metadata.event_type = "USER_LOGIN"
    $auth.metadata.product_name = "Azure Active Directory"
    $auth.extensions.auth.auth_details = "NonInteractive"
    $auth.security_result.action = "ALLOW"
    (
      re.regex($auth.network.http.user_agent,
        `(?i)(python-requests|curl/|wget/|go-http-client|okhttp/|node-fetch|axios/|postmanruntime|libcurl|ruby|aiohttp|httpx|java/)`)
      or $auth.target.application.asset_id in (
        "Microsoft Graph",
        "Office 365 Exchange Online",
        "SharePoint Online",
        "Microsoft Teams",
        "OneDrive",
        "Azure Key Vault",
        "Windows Azure Service Management API"
      )
    )
    $auth.extensions.auth.mechanism != "MECHANISM_UNSPECIFIED"
    not $auth.extensions.auth.auth_details = "Interactive"
    $auth.principal.user.email_addresses = $user
    $auth.principal.ip = $src_ip

  match:
    $user over 1h

  outcome:
    $risk_score = max(
      if(#auth > 50, 95,
      if(#auth > 20, 80,
      if(#auth > 10, 65, 50)))
    )
    $token_use_count = count_distinct($auth.metadata.id)
    $unique_ips = count_distinct($src_ip)
    $resources_accessed = array_distinct($auth.target.application.asset_id)
    $user_agents = array_distinct($auth.network.http.user_agent)
    $source_ips = array_distinct($src_ip)

  condition:
    #auth > 10 or count_distinct($src_ip) >= 2
}

high severity high confidence

Data Sources

Google Chronicle UDM — Azure Active Directory authentication events ingested via Google Cloud Pub/Sub or Chronicle forwarder

Required Tables

UDM USER_LOGIN events with metadata.product_name = Azure Active Directory and non-interactive auth extension populated

False Positives

Service accounts used by automation platforms (Terraform, Ansible, Azure DevOps pipelines) that authenticate to Azure management APIs from multiple runner agents or ephemeral cloud instances, producing legitimate multi-IP token use patterns
Federated identity scenarios where employees authenticate through a corporate identity provider that proxies requests through multiple egress IPs, making single tokens appear to originate from different addresses
Microsoft's own first-party apps and background services (Exchange health probes, SharePoint crawlers) that use non-interactive delegated token flows internally and may be ingested into Chronicle as user-attributed events

CrowdStrike LogScale (CQL)

cql

// CrowdStrike Falcon — OAuth token abuse via endpoint process behavior
// Detects processes making automated API calls to Microsoft identity and cloud endpoints
// which is the endpoint manifestation of T1550.001 token theft and replay

#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)(graph\.microsoft\.com|login\.microsoftonline\.com|outlook\.office365\.com|sharepoint\.com|vault\.azure\.net)/
| CommandLine = /(?i)(bearer|access_token|oauth|Authorization:|--header|curl|wget|python|invoke-webrequest|invoke-restmethod)/
| case {
    ImageFileName = /(?i)(\\python[0-9]*\.exe|\\curl\.exe|\\wget\.exe|\\powershell\.exe|\\pwsh\.exe)/ |
      ToolCategory := "Known HTTP tool" ;
    CommandLine = /(?i)(invoke-restmethod|invoke-webrequest|\$headers|bearer)/ |
      ToolCategory := "PowerShell API call" ;
    CommandLine = /(?i)(curl|wget|http\.get|requests\.get|fetch\()/ |
      ToolCategory := "Script HTTP client" ;
    * | ToolCategory := "Other"
  }
| groupBy(
    [ComputerName, UserName, ImageFileName, ToolCategory],
    function=[
      count(as=ApiCallCount),
      collect(field=CommandLine, limit=5, as=CommandSamples),
      min(field=@timestamp, as=FirstSeen),
      max(field=@timestamp, as=LastSeen),
      count(field=TargetProcessId, distinct=true, as=UniqueProcessInstances)
    ]
  )
| ApiCallCount > 10
| sort(ApiCallCount, order=desc)
| select([ComputerName, UserName, ImageFileName, ToolCategory, ApiCallCount, UniqueProcessInstances, CommandSamples, FirstSeen, LastSeen])

/* SUPPLEMENTAL: Hunt for credential/token files accessed before API calls */
// #event_simpleName = "MotionDetected"
// | TargetFileName = /(?i)(\.token|\.json|access_token|refresh_token|credential|\bauth\b)/
// | groupBy([ComputerName, UserName, TargetFileName], function=count(as=AccessCount))
// | AccessCount > 3

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection — ProcessRollup2 events CrowdStrike Falcon Identity Threat Protection (if licensed) for direct Azure AD sign-in visibility

Required Tables

ProcessRollup2 (Falcon process execution events with command line logging enabled) NetworkConnectIP4 (optional — for correlating network connections to Microsoft API endpoints)

False Positives

Legitimate DevOps and IT automation scripts (PowerShell runbooks, Python scripts, Terraform) that run on jump hosts or management servers to interact with Microsoft Graph or Azure REST APIs as part of normal infrastructure management
Security tools like Microsoft Defender for Endpoint, Azure Arc agents, or Intune management clients that make periodic calls to Microsoft cloud APIs for telemetry, policy sync, or health reporting
Developer workstations running local development tools (VS Code Azure extensions, Azure CLI, Graph Explorer) that generate API calls while engineers test integrations or debug cloud applications

Last updated: 2026-04-21 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1550.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Application Access Token

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections