Token Theft - Refresh Token Replay from New Location
01 Token Theft Refresh Token Replay New Location
Query
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| sort by UserPrincipalName asc, AppId asc, TimeGenerated asc
| extend PrevIP = prev(IPAddress, 1)
| extend PrevCountry = prev(Location, 1)
| extend PrevTime = prev(TimeGenerated, 1)
| extend PrevUser = prev(UserPrincipalName, 1)
| extend PrevApp = prev(AppId, 1)
| where UserPrincipalName == PrevUser
and AppId == PrevApp
and IPAddress != PrevIP
and Location != PrevCountry
and (TimeGenerated - PrevTime) < 30m
| project
TimeGenerated,
PrevTokenTime = PrevTime,
UserPrincipalName,
AppDisplayName,
CurrentIP = IPAddress,
CurrentCountry = Location,
PreviousIP = PrevIP,
PreviousCountry = PrevCountry,
TimeBetweenTokens = (TimeGenerated - PrevTime),
CorrelationId,
UniqueTokenIdentifier
| order by TimeGenerated descExplanation
This query is designed to detect suspicious activity related to OAuth token refreshes, which could indicate a security breach. Here's a simple breakdown of what it does:
-
Purpose: The query identifies instances where the same user refreshes an OAuth token from a different IP address and country within a 30-minute window. This behavior is a strong indicator of potential token theft or a "pass-the-cookie" attack, where an attacker uses a stolen refresh token from a different location.
-
Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-ins.
-
Detection Logic:
- It looks at sign-in logs from the past hour.
- It filters for successful sign-ins (ResultType == 0).
- It checks for cases where the same user and application ID have different IP addresses and countries for consecutive token refreshes within 30 minutes.
-
Output: The query outputs details such as the time of the token refresh, the user's name, the application used, the current and previous IP addresses and countries, and the time difference between the token refreshes.
-
Alerting: If such activity is detected, it triggers an alert with a high severity level, indicating potential credential access or lateral movement tactics. The alert includes details about the user and the suspicious activity.
-
Incident Management: The system is configured to create incidents based on these alerts, grouping them by user account for better incident management.
In summary, this query helps identify and alert on potential security incidents involving the misuse of OAuth tokens from different locations, which could signify unauthorized access attempts.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h