title: Application Access Token (T1550.001)
id: df00tech-t1550-001
status: experimental
description: "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud and SaaS environments. Stolen OAuth tokens can grant long-term access to resources — including email, files, and cloud infrastructure — without requiring the original user credentials. Token-based API access bypasses MFA controls entirely and may persist even after password resets, since token validity is independent of the user's password. Adversaries exploit this in Microsoft 365 environments via OAuth phishing (APT28, HAFNIUM), in AWS via STS federation token generation, and in Kubernetes via stolen service account tokens (Peirates)."
references:
  - https://attack.mitre.org/techniques/T1550/001/
  - https://df00tech.com/detections/T1550.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1550.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate service accounts and automation scripts that use OAuth tokens for scheduled integrations, ETL pipelines, or Power Automate flows accessing Microsoft Graph"
  - "CI/CD pipelines using service principals with delegated user permissions to deploy code, publish packages, or access Azure DevOps resources"
  - "Monitoring tools and SIEM connectors (Defender for Cloud Apps, Entra ID Protection, third-party SIEM add-ons) that repeatedly authenticate to Microsoft Graph for log collection at high volume"
  - "Third-party SaaS applications with broad OAuth permissions legitimately granted by IT administrators — e.g., backup solutions, email security gateways, eDiscovery tools"
level: high