T1550.001 Sumo Logic CSE · Sumo

Detect Application Access Token in Sumo Logic CSE

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates).

MITRE ATT&CK

Tactic
Defense Evasion Lateral Movement
Technique
T1550 Use Alternate Authentication Material
Sub-technique
T1550.001 Application Access Token
Canonical reference
https://attack.mitre.org/techniques/T1550/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=azure/signinlogs/noninteractive OR _sourceCategory=azure/aad/signin
| json "properties.isInteractive" as IsInteractive nodrop
| json "properties.authenticationRequirement" as AuthReq nodrop
| json "properties.conditionalAccessStatus" as CAStatus nodrop
| json "properties.userAgent" as UserAgent nodrop
| json "properties.resourceDisplayName" as Resource nodrop
| json "properties.userPrincipalName" as UserPrincipalName nodrop
| json "properties.ipAddress" as IPAddress nodrop
| json "properties.appDisplayName" as AppName nodrop
| json "properties.status.errorCode" as ErrorCode nodrop
| where (IsInteractive = "false" OR isNull(IsInteractive))
  AND AuthReq = "singleFactorAuthentication"
  AND CAStatus in ("notApplied", "disabled", "notEnabled")
  AND ErrorCode = "0"
| where UserAgent matches /(?i)(python-requests|curl\/|wget\/|go-http-client|okhttp|node-fetch|axios|postmanruntime|libcurl|ruby|aiohttp|httpx|java\/)/
  OR Resource in ("Microsoft Graph", "Office 365 Exchange Online", "SharePoint Online", "Microsoft Teams", "OneDrive", "Azure Key Vault", "Windows Azure Service Management API")
| timeslice 1h
| count as TokenUseCount,
  dcount(IPAddress) as UniqueIPs,
  dcount(Resource) as UniqueResources,
  dcount(AppName) as UniqueApps,
  values(IPAddress) as SourceIPs,
  values(Resource) as ResourcesAccessed,
  values(UserAgent) as UserAgents
  by UserPrincipalName, AppName, _timeslice
| where TokenUseCount > 10 OR UniqueIPs >= 2 OR UniqueResources >= 3
| if(UniqueIPs >= 3, "HIGH", if(UniqueResources >= 5 OR TokenUseCount > 50, "MEDIUM", "LOW")) as RiskScore
| where RiskScore != "LOW"
| fields _timeslice, UserPrincipalName, AppName, TokenUseCount, UniqueIPs, UniqueResources, UniqueApps, SourceIPs, ResourcesAccessed, UserAgents, RiskScore
| sort by TokenUseCount desc
high severity high confidence

Detects stolen or abused OAuth application access tokens in Microsoft Azure AD by monitoring non-interactive sign-in logs for single-factor authentications using automated HTTP clients (scripting libraries, API tools) or accessing sensitive Microsoft cloud resources. Aggregates events per user and application in 1-hour windows to surface token sharing across multiple IPs (strongest indicator) and automated enumeration patterns. Requires Azure AD Non-Interactive Sign-in logs to be forwarded to Sumo Logic using the Azure Event Hub integration.

Data Sources

Azure Active Directory Non-Interactive Sign-in Logs via Azure Event HubMicrosoft 365 Management Activity API

Required Tables

Azure AD sign-in logs (_sourceCategory=azure/signinlogs/noninteractive or equivalent configured category)

False Positives & Tuning

  • Enterprise applications using the OAuth 2.0 client credentials flow (app-only authentication) will appear as non-interactive single-factor sign-ins — distinguish by checking if AppId corresponds to a known registered enterprise app and source IPs match expected datacenter ranges
  • IT automation and scripting that uses Personal Access Tokens or App Passwords (legacy auth fallback) for scheduled tasks touching Exchange Online or SharePoint, particularly common in organizations that haven't fully migrated to modern auth
  • Power Automate and Logic Apps cloud connectors that authenticate on behalf of users using stored OAuth refresh tokens, generating non-interactive sign-ins from Microsoft's own IP ranges when workflows execute
Download portable Sigma rule (.yml)

Other platforms for T1550.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1OAuth Refresh Token Exchange for Microsoft Graph Access Token

    Expected signal: AADNonInteractiveUserSignInLogs entry: ResultType=0, AuthenticationRequirement=singleFactorAuthentication, ClientAppUsed=MSAL (or legacy), AppId matching CLIENT_ID, ResourceDisplayName=Microsoft Graph. The user-agent will be curl/x.x.x, triggering the HasSuspiciousAgent filter.

  2. Test 2Microsoft Graph API Mailbox Enumeration Using Stolen Bearer Token

    Expected signal: Microsoft 365 Unified Audit Log: MailItemsAccessed and MessageBind operations generated per message accessed; FileAccessed for drive enumeration — all attributed to the AppId that issued the token. AADNonInteractiveUserSignInLogs shows a non-interactive sign-in for Microsoft Graph resource with AuthenticationRequirement=singleFactorAuthentication.

  3. Test 3AWS STS GetFederationToken for Persistent Secondary Credential

    Expected signal: AWS CloudTrail event: eventName=GetFederationToken, eventSource=sts.amazonaws.com, userIdentity.type=IAMUser, requestParameters.name=df00tech-test-session. Subsequent GetCallerIdentity shows userIdentity.type=FederatedUser, confirming token independence.

  4. Test 4Kubernetes Service Account Token Lateral Movement

    Expected signal: Kubernetes API server audit log: authentication events with userInfo.username=system:serviceaccount:<namespace>:<serviceaccount>, verb=list, resource=secrets, namespace=<namespace>. Cross-namespace kube-system access attempt appears as a separate event with responseStatus.code=403 (if RBAC is properly configured). In EKS, AKS, and GKE these events appear in CloudTrail, Azure Monitor, and Cloud Audit Logs respectively.

Last updated: 2026-04-21 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1550.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.002Pass the HashT1550.003Pass the TicketT1550.004Web Session Cookie

Related Techniques

T1550Use Alternate Authentication MaterialT1528Steal Application Access TokenT1566.002Spearphishing LinkT1098.003Additional Cloud RolesT1078.004Cloud AccountsT1539Steal Web Session CookieT1114.002Remote Email CollectionT1213.002SharepointT1136.003Cloud AccountT1485.001Lifecycle-Triggered Deletion

Same Tactic: Defense Evasion

Popular Detections