THREAT-BEC-OAuthDeviceCode CrowdStrike LogScale · LogScale

Detect Business Email Compromise via OAuth Device Code Flow Phishing in CrowdStrike LogScale

OAuth Device Code Flow phishing is a prevalent Business Email Compromise (BEC) technique actively used by Scattered Spider, Storm-2372, and nation-state actors including Midnight Blizzard. The attacker sends a phishing message containing a Microsoft device code (a short alphanumeric code from https://microsoft.com/devicelogin), social-engineered to appear as an IT helpdesk request, MFA enrollment notification, or remote support session. When the victim enters the code, the attacker receives a valid OAuth access token and refresh token for the victim's Microsoft 365 account — with no password required. The attacker then has full access to email, Teams, SharePoint, OneDrive, and any M365 service the victim is licensed for. Refresh tokens may persist for 90 days, providing long-term access even after password reset. This technique bypasses MFA entirely because the device code flow is a legitimate Microsoft authentication mechanism.

MITRE ATT&CK

Tactic
Credential Access Collection

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// BEC: OAuth Device Code Flow Phishing Detection
// Covers: device code sign-ins from suspicious agents + inbox rule forwarding follow-on

#repo=base_activity
(
  // Branch 1: Device code authentication with suspicious user agent
  (
    AuthenticationProtocol = "deviceCode"
    OR TokenIssuerType = "AzureAD"
  )
  AND (
    UserAgent = /(?i)(python-requests|curl|wget|Go-http-client|okhttp|axios)/
    OR (
      AuthenticationDetails = /(?i)deviceCode/
      AND Location != /(?i)^(GB|US)/
    )
  )
  AND EventType IN ["UserLoggedIn", "AzureADSignIn"]
| groupBy(
    [UserId, UserAgent, Location, AppDisplayName, IPAddress],
    function=[
      count(aid, as=DeviceCodeEvents),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen),
      collect(IPAddress, as=IPs),
      collect(UserAgent, as=Agents)
    ]
  )
| eval ThreatType = "DeviceCode_BEC_Phishing"
| eval ThreatActors = "Scattered Spider, Storm-2372, Midnight Blizzard"
| sort(DeviceCodeEvents, order=desc)
)

UNION

(
  // Branch 2: Inbox forwarding/deletion rules created post-compromise
  Operation IN ["New-InboxRule", "Set-InboxRule", "Set-Mailbox"]
  AND Parameters = /(?i)(ForwardTo|DeleteMessage|RedirectTo|ForwardAsAttachmentTo|MoveToFolder)/
  AND Parameters != /(?i)Junk Email/
  AND EventSource = "O365"
| groupBy(
    [UserId, ClientIP, Operation],
    function=[
      count(aid, as=RuleEvents),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen),
      collect(Parameters, as=RuleParams),
      collect(ClientIP, as=IPs)
    ]
  )
| eval ThreatType = "BEC_InboxRule_Forwarding"
| eval ThreatActors = "Scattered Spider, Storm-2372, Midnight Blizzard"
| sort(RuleEvents, order=desc)
)
critical severity high confidence

CrowdStrike LogScale CQL detection for OAuth Device Code Flow BEC phishing, split into two correlated branches: (1) device code authentication events from scripting/automation user agents or logins from unexpected geographic locations, and (2) inbox rule creation with forwarding, redirection, or deletion parameters indicating post-compromise email exfiltration setup. Results are grouped by user to surface high-frequency activity.

Data Sources

Microsoft 365 Management Activity Logs via CrowdStrike Falcon LogScaleAzure AD Sign-In Logs via Falcon LogScale

Required Tables

base_activity repository with O365 and AzureAD event sources ingested into Falcon LogScale

False Positives & Tuning

  • Developers or DevOps engineers using scripted device code flows for legitimate M365 API integration testing
  • Remote workers or travelers authenticating via device code from countries outside the expected baseline
  • Email migration tools or third-party platforms that create inbox rules during onboarding or data transfer workflows
  • Help desk staff configuring shared mailbox rules on behalf of users using automation scripts

Other platforms for THREAT-BEC-OAuthDeviceCode

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1OAuth Device Code Flow Token Request (Simulated Phishing)

    Expected signal: Azure AD Sign-in logs record a DeviceCode flow initiation. When user enters the code, AADSignInLogs records a successful authentication with AuthenticationProtocol=deviceCode.

  2. Test 2Create BEC Inbox Forwarding Rule via Exchange Online PowerShell

    Expected signal: O365 Unified Audit Log records New-InboxRule operation with ForwardTo parameter for the authenticated user.

Last updated: 2026-06-20 Research depth: deep
References (3)

Unlock Pro Content

Get the full detection package for THREAT-BEC-OAuthDeviceCode including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0009Collection

Parent Technique

T1528Steal Application Access Token

Related Techniques

T1528Steal Application Access TokenT1114.002Remote Email CollectionT1137.005Outlook RulesT1534Internal SpearphishingT1078.004Cloud AccountsT1566.002Spearphishing Link

Same Tactic: Credential Access

Popular Detections