Query Details
05 Device Code Flow Abuse
Query
id: e0f6a8b9-c4d5-7e1f-2a3b-4c5d6e7f8a9b
name: Device Code Flow Authentication Abuse
version: 1.0.0
kind: Scheduled
description: |
Detects non-interactive sign-ins using device code flow authentication protocol.
Device code flow is commonly abused in phishing attacks where a user is tricked into
entering a device code on a legitimate Microsoft page. The attacker redeems the code
and obtains a long-lived refresh token that enables silent authentication indefinitely.
Any use of device code flow should be reviewed unless explicitly expected.
MITRE ATT&CK: T1528 (Steal Application Access Token), T1566 (Phishing)
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1528
- T1566
query: |
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol == "deviceCode"
or ClientAppUsed has_any ("device code", "device_code", "Device Code")
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
customDetails:
SignInCount: Count
Countries: Countries
Apps: Apps
alertDetailsOverride:
alertDisplayNameFormat: "Device Code Flow Detected for {{UserPrincipalName}}"
alertDescriptionFormat: "User {{UserPrincipalName}} had {{Count}} device code flow non-interactive sign-ins. This protocol is abused in phishing attacks to obtain long-lived refresh tokens."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AnyAlert
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect suspicious sign-ins using the "device code flow" authentication protocol, which is often exploited in phishing attacks. Here's a simple breakdown:
- Purpose: It identifies non-interactive sign-ins that use the device code flow, which can be abused by attackers to gain unauthorized access through phishing.
- Severity: The alert is marked as high severity due to the potential for abuse.
- Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-in logs.
- Frequency: The query runs every hour and looks at data from the past hour.
- Detection Logic:
- It filters sign-in logs to find entries where the authentication protocol is "deviceCode" or similar terms.
- It then summarizes the data by counting occurrences, listing unique IP addresses, countries, and applications involved, and noting the first and last times the activity was seen.
- The results are sorted by the number of occurrences.
- Alerting:
- If any suspicious activity is detected, an alert is generated with details about the user and the number of sign-ins.
- The alert includes information about the potential for phishing attacks and the misuse of refresh tokens.
- Incident Management:
- An incident is created for each alert, and similar alerts are grouped by user account to manage them efficiently.
Overall, this query helps security teams monitor and respond to potential phishing attacks that exploit the device code flow authentication method.
Details
David Alonso
Released: May 29, 2026
Tables
AADNonInteractiveUserSignInLogs
Keywords
DeviceAuthenticationProtocolMicrosoftTokenPhishingUserAccountIPAddressLocationAppNameTime
Operators
whereorhas_anysummarizecountmake_setminmaxbyextendtostringorder bydesc