Device code flow sign in on Tier0 account [RULE-1164]
This rule detects if a Tier0 accounts logs in via the device code flow.
Rationale
This rule detects when device code flow authentication is used on Tier0 privileged accounts. Device code flow is a legitimate OAuth 2.0 authentication method, but it has become a primary vector for sophisticated phishing attacks targeting high-privilege accounts.
In a device code flow phishing attack, the attacker sends the victim a malicious link (often disguised as a security alert, IT support request, or legitimate Microsoft notification). When the victim clicks the link and enters the displayed code at microsoft.com/devicelogin, they unknowingly grant the attacker full access to their account. The attacker receives an authentication token without ever needing the victim's password or bypassing their MFA.
Fix
An automated fix is available through Attic to mitigate the threat.
If the detected login is not legitimate and want to mitigate the threat manually, we recommend taking the following actions:
- Disable the account immediately
- Revoke all active sessions
- Reset the password
Impact
After executing the fix, the targetted account is disabled and logs out all current sessions.