Detect Application Access Token in Splunk
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates).
MITRE ATT&CK
- Tactic
- Defense Evasion Lateral Movement
- Sub-technique
- T1550.001 Application Access Token
- Canonical reference
- https://attack.mitre.org/techniques/T1550/001/
SPL Detection Query
index=o365 sourcetype="o365:management:activity"
(Operation="MailItemsAccessed" OR Operation="FileAccessed" OR Operation="FileDownloaded"
OR Operation="SearchQueryInitiatedExchange" OR Operation="Send" OR Operation="MessageBind"
OR Operation="ListItems" OR Operation="GetItem")
| eval IsAutomatedAccess=if(
isnull(ClientInfoString) OR ClientInfoString="" OR
match(lower(ClientInfoString), "(rest|graph|api|script|automation|curl|python|http|oauth)"),
1, 0
)
| where IsAutomatedAccess=1
| stats
count as AccessCount,
dc(ClientIP) as UniqueIPs,
values(Operation) as Operations,
values(ClientIP) as SourceIPs,
earliest(_time) as FirstAccess,
latest(_time) as LastAccess,
dc(Operation) as OperationTypes,
values(ClientInfoString) as ClientInfo
by UserId, AppId
| where AccessCount > 20 OR UniqueIPs >= 2
| eval SessionDurationHours=round((LastAccess - FirstAccess) / 3600, 2)
| eval AccessRatePerHour=round(AccessCount / (SessionDurationHours + 0.001), 1)
| eval RiskScore=case(
UniqueIPs >= 3, "HIGH",
AccessRatePerHour > 200, "HIGH",
UniqueIPs >= 2 AND OperationTypes >= 3, "HIGH",
AccessCount > 100, "MEDIUM",
UniqueIPs >= 2, "MEDIUM",
"LOW"
)
| where RiskScore != "LOW"
| eval FirstAccess=strftime(FirstAccess, "%Y-%m-%d %H:%M:%S")
| eval LastAccess=strftime(LastAccess, "%Y-%m-%d %H:%M:%S")
| sort - AccessCount
| table FirstAccess, LastAccess, UserId, AppId, AccessCount, UniqueIPs, AccessRatePerHour, OperationTypes, Operations, SourceIPs, ClientInfo, RiskScoreDetects application access token abuse in Microsoft 365 environments using O365 Management Activity logs via the Splunk Add-on for Microsoft Cloud Services. Identifies REST API and Graph API token-based access patterns that bypass interactive authentication — specifically mass mail access (MailItemsAccessed, MessageBind), file operations, and programmatic searches. Computes per-session access rate and IP diversity to surface tokens used from multiple locations or at anomalous frequencies, consistent with stolen OAuth token abuse by threat actors such as APT28 (Gmail/Yahoo OAuth phishing) and HAFNIUM (service principal abuse).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate business applications with OAuth integrations performing bulk email or file processing, such as legal document management systems or CRM platforms syncing contacts and calendar data
- Backup and archiving solutions accessing Exchange Online or SharePoint via REST API on scheduled intervals, generating high AccessCount values for service account UserId
- eDiscovery tools performing authorized content searches across mailboxes, which generate high MessageBind and SearchQueryInitiatedExchange counts under a single AppId
- Email security gateways and DLP solutions that scan inbound mail content via Graph API, appearing as high-volume MailItemsAccessed events from the gateway's AppId
Other platforms for T1550.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1OAuth Refresh Token Exchange for Microsoft Graph Access Token
Expected signal: AADNonInteractiveUserSignInLogs entry: ResultType=0, AuthenticationRequirement=singleFactorAuthentication, ClientAppUsed=MSAL (or legacy), AppId matching CLIENT_ID, ResourceDisplayName=Microsoft Graph. The user-agent will be curl/x.x.x, triggering the HasSuspiciousAgent filter.
- Test 2Microsoft Graph API Mailbox Enumeration Using Stolen Bearer Token
Expected signal: Microsoft 365 Unified Audit Log: MailItemsAccessed and MessageBind operations generated per message accessed; FileAccessed for drive enumeration — all attributed to the AppId that issued the token. AADNonInteractiveUserSignInLogs shows a non-interactive sign-in for Microsoft Graph resource with AuthenticationRequirement=singleFactorAuthentication.
- Test 3AWS STS GetFederationToken for Persistent Secondary Credential
Expected signal: AWS CloudTrail event: eventName=GetFederationToken, eventSource=sts.amazonaws.com, userIdentity.type=IAMUser, requestParameters.name=df00tech-test-session. Subsequent GetCallerIdentity shows userIdentity.type=FederatedUser, confirming token independence.
- Test 4Kubernetes Service Account Token Lateral Movement
Expected signal: Kubernetes API server audit log: authentication events with userInfo.username=system:serviceaccount:<namespace>:<serviceaccount>, verb=list, resource=secrets, namespace=<namespace>. Cross-namespace kube-system access attempt appears as a separate event with responseStatus.code=403 (if RBAC is properly configured). In EKS, AKS, and GKE these events appear in CloudTrail, Azure Monitor, and Cloud Audit Logs respectively.
References (12)
- https://attack.mitre.org/techniques/T1550/001/
- https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
- https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailitemsaccessed
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html
- https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/
- https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
- https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/
- https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/
- https://github.com/dafthack/GraphRunner
- https://github.com/mandiant/Mandiant-Azure-AD-Investigator
- https://github.com/inguardians/peirates
Unlock Pro Content
Get the full detection package for T1550.001 including response playbook, investigation guide, and atomic red team tests.