Threat Hunt Repository

12 threat hunts with detection queries and analytics

hunt-2025-045

Device Code Auth Followed by FOCI Multi-Resource Burst

A device code phish succeeds when the victim completes authentication via the attacker's device code URL. Within minutes, the attacker silently exchanges the captured refresh token against multiple Microsoft resource endpoints using FOCI — generating a burst of non-interactive sign-ins from the same client_id. Correlating an interactive device code authentication in SigninLogs with a subsequent FOCI burst in AADNonInteractiveUserSignInLogs for the same user, within a short time window, closes the loop between the phish and the post-exploitation pivot. This two-event chain is a high-confidence signal for a completed device code token theft and immediate post-exploitation.

T1528 T1550.001

Entra ID Azure

May 27, 2026

hunt-2025-044

FOCI Cross-Resource Token Pivot — Non-Interactive Sign-In Burst

Microsoft's Family of Client IDs (FOCI) allows a refresh token obtained via one first-party application to be exchanged for access tokens scoped to any other service in the family — Exchange, Teams, Azure Management, Key Vault, Office Management — without re-authenticating the user. After capturing a single device code token, an attacker can silently pivot to every Microsoft service the victim can access with a single API call per resource. This produces a burst of non-interactive sign-ins from the same client_id against multiple distinct resource endpoints within a short window — a pattern that does not occur in legitimate first-party application behaviour. FOCI-capable client IDs include Azure CLI (04b07795-8542-4bc9-aaaa-59d79c0a3df9), Azure PowerShell (1950a258-227b-4e31-a9cf-717495945fc2), and Microsoft Authentication Broker (29d9ed98-a469-4536-ade2-f981bc1d605e).

Workers.dev Phishing URL in Email — Device Code Campaign Detection

Threat actors abusing device code authentication for phishing are hosting their lure pages on Cloudflare Workers domains (*.workers.dev). These domains are rarely seen in legitimate enterprise email and their presence in email URLs could be an indicator of a device code phishing campaign.

T1566.002

Microsoft Defender XDR Microsoft 365

Mar 10, 2026

hunt-2025-042

General Device Code Authentication Visibility

Device code authentication is a legitimate OAuth 2.0 flow designed for input-constrained devices such as IoT hardware and meeting room equipment. Because the flow only requires a user to enter a short code into any browser, threat actors abuse it to phish access tokens without needing to capture credentials. Surfacing all device code authentication events, enriched with device compliance and risk context, provides the baseline visibility needed to detect abuse.

First-Time Device Code Authentication — No Prior Protocol History

A user authenticating via device code for the first time — with no history of the protocol over the preceding 30 days — is a strong behavioural indicator of phishing. Legitimate device code usage is rare in most enterprises and tends to be associated with specific roles or devices. An unexpected first use of the protocol by a regular user is highly suspicious and warrants immediate triage.

User Authenticating to Azure CLI for First Time

Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.

Potential ConsentFix URL Match in Proxy

Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.

Token Protection Switch with Different IP

Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.

Potential Token Replay from Different ASNs

Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.

Sensitive Keyword Search via Graph

Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.

Spike in invalid token usage (50173)

Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.

Unbound Token Usage from High-Risk Apps

Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.

T1134.001

Entra

Dec 11, 2025