Detect Application Access Token in Microsoft Sentinel
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates).
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.001 Application Access Token
- Canonical reference
- https://attack.mitre.org/techniques/T1550/001/
KQL Detection Query
let TimeWindow = 24h;
let SuspiciousUserAgents = dynamic([
"python-requests", "curl/", "wget/", "Go-http-client",
"okhttp/", "node-fetch", "axios/", "PostmanRuntime", "libcurl",
"ruby", "aiohttp", "httpx", "java/"
]);
let SensitiveResources = dynamic([
"Microsoft Graph", "Office 365 Exchange Online", "SharePoint Online",
"Microsoft Teams", "OneDrive", "Azure Key Vault",
"Windows Azure Service Management API"
]);
// Detect suspicious non-interactive (token-based) sign-ins bypassing MFA
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(TimeWindow)
| where ResultType == 0
| where AuthenticationRequirement =~ "singleFactorAuthentication"
| where ConditionalAccessStatus in~ ("notApplied", "disabled", "notEnabled")
| extend
HasSuspiciousAgent = UserAgent has_any (SuspiciousUserAgents),
AccessedSensitiveResource = ResourceDisplayName has_any (SensitiveResources)
| where HasSuspiciousAgent or AccessedSensitiveResource
| summarize
TokenUseCount = count(),
UniqueResources = dcount(ResourceDisplayName),
UniqueApps = dcount(AppDisplayName),
UniqueIPs = dcount(IPAddress),
Resources = make_set(ResourceDisplayName, 10),
Apps = make_set(AppDisplayName, 5),
SourceIPs = make_set(IPAddress, 5),
UserAgents = make_set(UserAgent, 3),
Countries = make_set(tostring(LocationDetails.countryOrRegion), 5)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where TokenUseCount > 10 or UniqueResources >= 3 or UniqueIPs >= 2
| extend RiskIndicator = case(
UniqueIPs >= 3, "Token used from 3+ distinct IPs — likely shared or stolen token",
UniqueResources >= 5, "Token accessing 5+ resources — automated enumeration pattern",
TokenUseCount > 50, "High-frequency API access — scripted tool or automation",
"Suspicious single-factor token-based authentication to sensitive resource"
)
| project TimeGenerated, UserPrincipalName, TokenUseCount, UniqueResources, UniqueApps,
UniqueIPs, Resources, Apps, SourceIPs, UserAgents, Countries, RiskIndicator
| sort by TokenUseCount descDetects suspicious application access token abuse via Microsoft Sentinel AADNonInteractiveUserSignInLogs. Focuses on token-based (non-interactive) sign-ins that bypass MFA, originate from scripting or automation user agents (python-requests, curl, Go HTTP clients), or exhibit anomalous access breadth — high resource count, multiple source IPs, or high-frequency API calls within a one-hour window. These patterns indicate tokens that may have been stolen via OAuth phishing or credential theft and are being used for reconnaissance, data collection, or lateral movement across Microsoft 365 and Azure resources.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate service accounts and automation scripts that use OAuth tokens for scheduled integrations, ETL pipelines, or Power Automate flows accessing Microsoft Graph
- CI/CD pipelines using service principals with delegated user permissions to deploy code, publish packages, or access Azure DevOps resources
- Monitoring tools and SIEM connectors (Defender for Cloud Apps, Entra ID Protection, third-party SIEM add-ons) that repeatedly authenticate to Microsoft Graph for log collection at high volume
- Third-party SaaS applications with broad OAuth permissions legitimately granted by IT administrators — e.g., backup solutions, email security gateways, eDiscovery tools
Other platforms for T1550.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1OAuth Refresh Token Exchange for Microsoft Graph Access Token
Expected signal: AADNonInteractiveUserSignInLogs entry: ResultType=0, AuthenticationRequirement=singleFactorAuthentication, ClientAppUsed=MSAL (or legacy), AppId matching CLIENT_ID, ResourceDisplayName=Microsoft Graph. The user-agent will be curl/x.x.x, triggering the HasSuspiciousAgent filter.
- Test 2Microsoft Graph API Mailbox Enumeration Using Stolen Bearer Token
Expected signal: Microsoft 365 Unified Audit Log: MailItemsAccessed and MessageBind operations generated per message accessed; FileAccessed for drive enumeration — all attributed to the AppId that issued the token. AADNonInteractiveUserSignInLogs shows a non-interactive sign-in for Microsoft Graph resource with AuthenticationRequirement=singleFactorAuthentication.
- Test 3AWS STS GetFederationToken for Persistent Secondary Credential
Expected signal: AWS CloudTrail event: eventName=GetFederationToken, eventSource=sts.amazonaws.com, userIdentity.type=IAMUser, requestParameters.name=df00tech-test-session. Subsequent GetCallerIdentity shows userIdentity.type=FederatedUser, confirming token independence.
- Test 4Kubernetes Service Account Token Lateral Movement
Expected signal: Kubernetes API server audit log: authentication events with userInfo.username=system:serviceaccount:<namespace>:<serviceaccount>, verb=list, resource=secrets, namespace=<namespace>. Cross-namespace kube-system access attempt appears as a separate event with responseStatus.code=403 (if RBAC is properly configured). In EKS, AKS, and GKE these events appear in CloudTrail, Azure Monitor, and Cloud Audit Logs respectively.
References (12)
- https://attack.mitre.org/techniques/T1550/001/
- https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
- https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailitemsaccessed
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html
- https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
- https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
- https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://github.com/dafthack/GraphRunner
- https://github.com/mandiant/Mandiant-Azure-AD-Investigator
- https://github.com/inguardians/peirates
Unlock Pro Content
Get the full detection package for T1550.001 including response playbook, investigation guide, and atomic red team tests.