Microsoft 365: Phishing to Tenant Admin, Full Attack Chain and Detection Guide

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The Microsoft 365 tenant admin attack chain has become the gold standard for business email compromise and ransomware precursor activity. Attackers no longer need to crack passwords or bypass MFA, they use adversary-in-the-middle (AiTM) phishing proxies to steal post-authentication session cookies, then escalate from a standard user to Global Administrator through a sequence of legitimate Microsoft Graph API calls. Understanding every step of this chain is the only way to build detections that can interrupt it before the attacker reaches the crown jewels.
The Full Attack Chain: 7 Stages
This is the canonical AiTM-to-tenant-admin path observed across multiple APT campaigns and financially motivated threat groups including Storm-1167, Scattered Spider, and UNC3944.
AiTM Phishing, Cookie Theft
Attacker deploys an EvilGinx2 or Modlishka proxy in front of login.microsoftonline.com. Victim receives a phishing email with a link to a lookalike domain. Victim authenticates normally including MFA. The proxy forwards the session cookie to the attacker in real time. The victim sees a successful login.
Cookie Replay, Initial Access
Attacker replays the stolen session cookie from a residential proxy IP to bypass conditional access policies that check for known-bad IP ranges. The attacker is now authenticated as the victim with full browser session context. This happens within seconds of the victim completing MFA.
OAuth App Registration
Attacker registers a new enterprise application in Entra ID via the Azure portal or Microsoft Graph API. They grant it RoleManagement.ReadWrite.Directory and AppRoleAssignment.ReadWrite.All application permissions and self-consent as Global Administrator. This creates a persistent backdoor that survives password reset and MFA enforcement changes.
Privilege Escalation via Role Assignment
Using the newly registered app's service principal credentials, the attacker calls POST /v1.0/roleManagement/directory/roleAssignments to assign Global Administrator to an attacker-controlled account, typically a newly created guest user or compromised external identity.
Persistence, Backdoor MFA Method
Attacker adds a FIDO2 hardware key, phone number, or authenticator app to the target account's MFA methods. Even if the victim resets their password and original MFA, the attacker-added method remains active.
Data Access and Exfiltration
From Global Admin, the attacker accesses Exchange via Graph API: GET /v1.0/users/{targetUser}/messages?$top=999. They also access SharePoint and OneDrive files. Bulk download via GET /v1.0/drives/{driveId}/root/children?$top=200.
Defense Impairment
Attacker disables Defender for Office 365 policies, creates mail transport rules forwarding all incoming mail externally, disables audit logging via Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false, and removes conditional access policies.
Detection Rules, Microsoft Sentinel KQL
These KQL queries target the highest-signal behaviors at each stage of the attack chain. Tune threshold values for your environment.
Stage 1-2: AiTM session replay detection
KQL: SigninLogs | where TimeGenerated > ago(1h) | summarize IPs=make_set(IPAddress), Countries=make_set(LocationDetails.countryOrRegion) by UserPrincipalName, CorrelationId | where array_length(IPs) > 1 and array_length(Countries) > 1 | project UserPrincipalName, IPs, Countries, CorrelationId. Same session from 2+ IPs or countries within 1 hour is the AiTM cookie replay signature.
Stage 3: New app registration with dangerous permissions
KQL: AuditLogs | where OperationName == "Add application" or OperationName == "Add delegated permission grant" | extend AppName = tostring(TargetResources[0].displayName) | extend GrantedPermissions = tostring(AdditionalDetails) | where GrantedPermissions contains_any ("RoleManagement.ReadWrite", "AppRoleAssignment.ReadWrite", "Directory.ReadWrite") | project TimeGenerated, InitiatedBy, AppName, GrantedPermissions.
Stage 4: Privileged role assignment
KQL: AuditLogs | where OperationName == "Add member to role" | extend AssignedRole = tostring(TargetResources[0].displayName) | where AssignedRole in ("Global Administrator", "Privileged Role Administrator", "Application Administrator", "Authentication Administrator") | project TimeGenerated, InitiatedBy, AssignedRole, TargetResources[1].userPrincipalName. Any assignment to these roles outside your standard IAM workflow should page on-call immediately.
Stage 5: MFA method added to privileged account
KQL: AuditLogs | where OperationName contains "Add authentication method" | extend TargetUser = tostring(TargetResources[0].userPrincipalName) | join kind=inner (IdentityInfo | where AssignedRoles contains "Global Administrator") on $left.TargetUser == $right.AccountUPN | project TimeGenerated, TargetUser, InitiatedBy, OperationName. MFA method addition to any Global Admin by anyone other than the account owner or IT admin is critical.
Stage 7: Audit log tampering
KQL: OfficeActivity | where Operation == "Set-AdminAuditLogConfig" | extend Parameters = parse_json(Parameters) | where Parameters has "UnifiedAuditLogIngestionEnabled" and Parameters has "False" | project TimeGenerated, UserId, Parameters, ClientIP. Disabling audit logs should be treated as an active incident regardless of context.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Preventive Controls, Before the Chain Starts
Detection is valuable but the goal is to break the chain before Stage 4. These preventive controls have the highest ROI.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Incident Response Playbook for AiTM Compromise
If you detect Stage 1-2 indicators, move immediately, the window before Stage 4 can be minutes.
T+0: Immediately revoke all sessions
Microsoft Graph: POST /v1.0/users/{id}/revokeSignInSessions. Entra portal: User > Revoke sessions. Follow with a forced password reset via PATCH /v1.0/users/{id} with {"passwordProfile": {"forceChangePasswordNextSignIn": true}}.
T+5 min: Audit app registrations
Check for apps registered in the last 24 hours: AuditLogs | where OperationName == 'Add application' and TimeGenerated > ago(24h). Disable any suspicious apps immediately. Review all admin consent grants for those apps.
T+10 min: Check role assignments
Export all current Global Administrator assignments. Compare against your known admin roster. Any account not on the approved list should be immediately removed and the account disabled.
T+15 min: Review MFA methods for all admins
For every privileged account: GET /v1.0/users/{id}/authentication/methods. Verify every registered authenticator, phone number, and FIDO2 key. Remove any method that cannot be verified as legitimate.
T+30 min: Check mail transport rules and forwarding
Exchange PowerShell: Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null -or $_.BlindCopyTo -ne $null}. Check individual mailbox forwarding: Get-Mailbox -ResultSize Unlimited | Get-MailboxForwardingRule. Any forwarding to external domains not in your approved partner list should be removed immediately.
The bottom line
Phishing-resistant MFA, Conditional Access requiring compliant devices, restricted app registration, and PIM together break this chain before it reaches tenant admin. If you deploy only one: mandatory FIDO2 for Global Administrators, today.
Frequently asked questions
Can Defender for Office 365 block AiTM phishing links?
Defender for Office 365 Safe Links and Safe Attachments can catch known-bad phishing infrastructure, but AiTM proxies using freshly registered domains or legitimate cloud infrastructure frequently evade URL reputation checks at time of click. The real protection against AiTM is phishing-resistant MFA (FIDO2/Windows Hello) which makes the stolen session cookie worthless because authentication is bound to the legitimate origin domain.
What is the difference between AiTM and traditional phishing?
Traditional phishing collects credentials on a fake login page, protected by MFA. AiTM proxies the real Microsoft login page, forwarding both the credentials and MFA response to Microsoft in real time, then stealing the resulting authenticated session cookie. The victim completes a genuine authentication including MFA; the attacker gets the post-MFA session token.
Does enabling Security Defaults protect against this attack chain?
Security Defaults provides TOTP-based MFA which does not protect against AiTM, TOTP codes can be proxied in real time just like passwords. Security Defaults is better than nothing but does not stop this chain. Phishing-resistant MFA (FIDO2) and Conditional Access policies requiring compliant devices are required to break the AiTM attack path.
How do I test if my Sentinel rules are catching AiTM?
Microsoft provides the Microsoft 365 Defender attack simulation training at security.microsoft.com/attacksimulator. For AiTM-specific simulation, tools like Gophish combined with EvilGinx2 can be deployed in a lab tenant (never production) to generate real AiTM telemetry for tuning your detection rules. Engage a red team for purple team exercises to validate detection coverage in your production environment.
How quickly can an attacker move from stolen session token to tenant admin access?
In documented AiTM campaigns, the time from session token theft to privilege escalation has been as short as 5-15 minutes. After capturing the victim's authenticated session cookie, the attacker's first actions are typically: verifying the session works by checking the account's permissions, enumerating MFA configurations (to understand what they need to maintain access), adding a new MFA device or application credential to the compromised account, and searching for users with admin roles to target next. This speed means real-time detection and automated response are essential: a SIEM alert that triggers a manual investigation 30 minutes later will arrive after the attacker has established persistence.
How do I detect AiTM phishing infrastructure before a click occurs?
Pre-click AiTM detection focuses on the phishing email and the proxy domain, not the session. Check incoming emails for links to domains registered within the past 7 days that use MX records pointing to common spam infrastructure -- these are a strong indicator of AiTM proxy domains. Microsoft Defender for Office 365 threat intelligence shares AiTM domain indicators via MDTI; subscribe to that feed and create Conditional Access named locations that block sign-ins originating from known AiTM-associated hosting ASNs. For proactive hunting, use Microsoft Defender Threat Intelligence or a third-party threat intel feed to pull fresh EvilGinx2 and Modlishka infrastructure IOCs and block them at your DNS layer before users click. Entra ID's sign-in risk policies at medium-and-above threshold provide a backstop even after a successful click.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
