M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)

Status: production
Severity: high
Time window: 9m
Author: Elastic
Source: github.com/elastic/detection-rules

Detects Microsoft 365 audit "UserLoggedIn" events consistent with Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity: the Microsoft Authentication Broker requesting access where the object identifier matches Microsoft Graph or Exchange Online, or the Office web client application authenticating to itself, combined with Node.js-style user agents (node, axios, undici). Tycoon 2FA bypasses MFA by relaying authentication and capturing session material, often targeting Microsoft 365 and Gmail. Baseline legitimate automation and developer tooling before tuning.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1566` Phishing
Credential Access	`T1539` Steal Web Session Cookie

Event coverage

Provider	Event
M365-AzureActiveDirectory	UserLoggedIn

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Rule body elastic

[metadata]
creation_date = "2026/05/14"
integration = ["o365"]
maturity = "production"
updated_date = "2026/05/14"

[rule]
author = ["Elastic"]
description = """
Detects Microsoft 365 audit "UserLoggedIn" events consistent with Tycoon 2FA phishing-as-a-service (PhaaS)
adversary-in-the-middle (AiTM) activity: the Microsoft Authentication Broker requesting access where the object
identifier matches Microsoft Graph or Exchange Online, or the Office web client application authenticating to itself,
combined with Node.js-style user agents (node, axios, undici). Tycoon 2FA bypasses MFA by relaying authentication and
capturing session material, often targeting Microsoft 365 and Gmail. Baseline legitimate automation and developer
tooling before tuning.
"""
false_positives = [
    """
    Legitimate Node.js or undici-based automation, health checks, or internal services that use the Microsoft
    Authentication Broker or the same first-party application IDs against Graph or Exchange may match. Developers using
    axios or undici with delegated flows can also resemble this pattern.
    """,
]
from = "now-9m"
index = ["logs-o365.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)"
note = """## Triage and analysis

### Investigating M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)

Review `o365.audit.UserId`, `user_agent.original`, `source.ip` or `o365.audit.ActorIpAddress`, and related Entra ID
sign-in logs (`azure.signinlogs`) for the same session or time window.

Confirm whether the account owner intentionally authenticated and whether Node.js-style user agents (node, axios, undici)
are expected for Microsoft Authentication Broker or Office web client flows in your environment.

### Possible investigation steps

- Correlate with `azure.signinlogs` for matching user principal name, IP, and session identifiers.
- Review Microsoft Graph or Exchange audit activity following the login for mailbox or data access anomalies.
- Hunt for other `UserLoggedIn` events from the same source with unusual user agents or rapid OAuth patterns.

### Response and remediation

- If malicious, revoke refresh tokens for the user, reset credentials per policy, and review conditional access outcomes.
- Block or monitor the source IP and escalate per incident procedures.
"""
references = ["https://any.run/malware-trends/tycoon/"]
risk_score = 73
rule_id = "275b972d-2fed-44fc-9214-08603b3318e3"
severity = "high"
tags = [
    "Domain: Cloud",
    "Domain: Identity",
    "Domain: SaaS",
    "Data Source: Microsoft 365",
    "Data Source: Microsoft 365 Audit Logs",
    "Use Case: Threat Detection",
    "Threat: Tycoon2FA",
    "Tactic: Initial Access",
    "Tactic: Credential Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:"o365.audit" and event.category:"authentication" and event.action:"UserLoggedIn" and
(
    (
        o365.audit.ApplicationId:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
        o365.audit.ObjectId:(
            "00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000"
        )
    ) or
    (
        o365.audit.ApplicationId:"4765445b-32c6-49b0-83e6-1d93765276ca" and
        o365.audit.ObjectId:"4765445b-32c6-49b0-83e6-1d93765276ca"
    )
) and user_agent.original:(node or axios* or undici)
'''

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "o365.audit.UserId",
    "user_agent.original",
    "source.ip",
    "o365.audit.ActorIpAddress",
    "source.geo.country_name",
    "event.outcome",
    "o365.audit.ApplicationId",
    "o365.audit.ObjectId",
    "o365.audit.ExtendedProperties.RequestType",
    "event.provider",
]

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1539"
name = "Steal Web Session Cookie"
reference = "https://attack.mitre.org/techniques/T1539/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

Stages and Predicates

Stage 1: `query`

data_stream.dataset:"o365.audit" and event.category:"authentication" and event.action:"UserLoggedIn" and
(
    (
        o365.audit.ApplicationId:"29d9ed98-a469-4536-ade2-f981bc1d605e" and
        o365.audit.ObjectId:(
            "00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000"
        )
    ) or
    (
        o365.audit.ApplicationId:"4765445b-32c6-49b0-83e6-1d93765276ca" and
        o365.audit.ObjectId:"4765445b-32c6-49b0-83e6-1d93765276ca"
    )
) and user_agent.original:(node or axios* or undici)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data_stream.dataset`	eq	`o365.audit`
`event.action`	eq	`UserLoggedIn`
`event.category`	eq	`authentication`
`o365.audit.ApplicationId`	eq	`29d9ed98-a469-4536-ade2-f981bc1d605e` `4765445b-32c6-49b0-83e6-1d93765276ca`
`o365.audit.ObjectId`	eq	`4765445b-32c6-49b0-83e6-1d93765276ca`
`o365.audit.ObjectId`	in	`00000002-0000-0ff1-ce00-000000000000` `00000003-0000-0000-c000-000000000000`
`user_agent.original`	eq	`node` `undici`
`user_agent.original`	wildcard	`axios*`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `query`

Indicators

Keyboard shortcuts

Search operators

M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: query

Indicators

Stage 1: `query`