hunt-2025-036
v1.0
by Paul Newton
Unbound Token Usage from High-Risk Apps
Platform
Entra
Data Sources
AADNonInteractiveUserSignInLogs MicrosoftGraphActivityLogs
Related Blog Post
Read the full blog post about this hunt →MITRE ATT&CK
Tactics
Defense Evasion
Techniques
Threat Actors
APT29/CozyBear/MidnightBlizzard
Tags
#entra
#cloud
#identity
#oauth
Hunt Hypothesis
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.
Unbound Token Usage from High-Risk Apps
Analytic #1This analytic looks at cases where a non-interactive authentication session occurs, where the token protection status is unbound. It looks for where these authentications occur against specific, high risk Microsoft Apps, from a list of specific "browser" types.
Detection Queries
KQL
AADNonInteractiveUserSignInLogs
| extend TokenProtection = parse_json(TokenProtectionStatusDetails)
| extend SessionStatus = tostring(TokenProtection.signInSessionStatus)
| where SessionStatus == "unbound"
| where ResourceDisplayName in ("Microsoft Graph", "Office 365 Exchange Online", "Office 365 SharePoint Online")
| extend
DeviceDetailParsed = parse_json(DeviceDetail),
LocationDetailParsed = parse_json(LocationDetails)
| extend
Browser = tostring(DeviceDetailParsed.browser),
DeviceId = tostring(DeviceDetailParsed.deviceId),
Location = tostring(LocationDetailParsed.countryOrRegion)
| where Browser contains "Python" or Browser contains "curl" or Browser contains "PostmanRuntime"
| project
TimeGenerated,
UserDisplayName,
AppDisplayName,
ResourceDisplayName,
IPAddress,
Location,
Browser,
DeviceId,
IncomingTokenType,
SessionStatus"
Triage Steps
- Verify the token session status is truly unbound and not protected
- Review the browser/UserAgent field - Python, curl, or PostmanRuntime may indicate automated tools
- Investigate why the application is authenticating with unbound tokens
- Check if the application has the offline_access permission scope
- Review what Microsoft resources were accessed (Graph, Exchange, SharePoint)
- Verify if the application is authorized and has legitimate business use
- Check if there are other authentications from the same app with similar patterns
- Recommend implementing token protection policies if the app supports it
True Positive Example
Log Entry:
{
"TimeGenerated": "06/12/2025, 18:40:37.848",
"UserDisplayName": "Hunter",
"AppDisplayName": "TruffleHog Test App",
"ResourceDisplayName": "Microsoft Graph",
"IPAddress": "79.135.105.18",
"Location": "AZ",
"Browser": "Python Requests 2.31",
"DeviceId": "",
"IncomingTokenType": "refreshToken",
"SessionStatus": "unbound"
}Analysis:
Unbound token being used with Python automation tool to access Microsoft Graph. The lack of device binding combined with a non-standard browser indicates potential token replay from an attacker-controlled system.