Detect Business Email Compromise via OAuth Device Code Flow Phishing in Splunk
OAuth Device Code Flow phishing is a prevalent Business Email Compromise (BEC) technique actively used by Scattered Spider, Storm-2372, and nation-state actors including Midnight Blizzard. The attacker sends a phishing message containing a Microsoft device code (a short alphanumeric code from https://microsoft.com/devicelogin), social-engineered to appear as an IT helpdesk request, MFA enrollment notification, or remote support session. When the victim enters the code, the attacker receives a valid OAuth access token and refresh token for the victim's Microsoft 365 account — with no password required. The attacker then has full access to email, Teams, SharePoint, OneDrive, and any M365 service the victim is licensed for. Refresh tokens may persist for 90 days, providing long-term access even after password reset. This technique bypasses MFA entirely because the device code flow is a legitimate Microsoft authentication mechanism.
MITRE ATT&CK
- Tactic
- Credential Access Collection
SPL Detection Query
index=o365 sourcetype="o365:management:activity"
(
(Operation="UserLoggedIn" AND AuthenticationDetails="*deviceCode*")
OR Operation IN ("New-InboxRule", "Set-InboxRule")
)
| eval device_code=if(Operation="UserLoggedIn" AND match(AuthenticationDetails, "(?i)deviceCode"), "true", "false")
| eval inbox_rule_fwd=if(
Operation IN ("New-InboxRule", "Set-InboxRule") AND
match(Parameters, "(?i)(ForwardTo|DeleteMessage|RedirectTo|ForwardAsAttachmentTo)"),
"true", "false"
)
| where device_code="true" OR inbox_rule_fwd="true"
| stats
count AS Events,
values(Operation) AS Operations,
values(ClientIP) AS IPs,
values(AuthenticationDetails) AS AuthDetails,
values(Parameters) AS RuleParams
BY UserId, _time span=4h
| where mvcount(Operations) > 1 OR inbox_rule_fwd="true"
| eval ThreatType="BEC_DeviceCode_OAuthPhishing"
| eval ThreatActors="Scattered Spider, Storm-2372, Midnight Blizzard"
| sort - EventsSPL detection for OAuth device code BEC phishing in Microsoft 365 O365 audit logs. Correlates device code authentication events with subsequent inbox rule creation within a 4-hour window — the classic attacker workflow of token theft followed by email forwarding rule setup for BEC financial fraud.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Users legitimately enrolling new devices via device code flow, then creating organisational inbox rules in the same session
- Shared mailbox configuration by IT administrators using device code flow
- Mail flow rules created by Exchange Online administrators (these appear as user inbox rules in some log configurations)
Other platforms for THREAT-BEC-OAuthDeviceCode
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1OAuth Device Code Flow Token Request (Simulated Phishing)
Expected signal: Azure AD Sign-in logs record a DeviceCode flow initiation. When user enters the code, AADSignInLogs records a successful authentication with AuthenticationProtocol=deviceCode.
- Test 2Create BEC Inbox Forwarding Rule via Exchange Online PowerShell
Expected signal: O365 Unified Audit Log records New-InboxRule operation with ForwardTo parameter for the authenticated user.
References (6)
- https://www.microsoft.com/en-us/security/blog/2024/08/08/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
- https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/
- https://www.ncsc.gov.uk/collection/phishing-attacks/phishing-techniques/oauth-phishing
- https://attack.mitre.org/techniques/T1528/
- https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication
- https://github.com/dafthack/TokenTactics
Unlock Pro Content
Get the full detection package for THREAT-BEC-OAuthDeviceCode including response playbook, investigation guide, and atomic red team tests.