Microsoft Defender XDR: OAuth and Device-Code Phishing Hunting Queries Unblocked After ARM-TTK Pipeline Failure

What Changed

Two phishing-focused hunting queries in the Microsoft Defender XDR solution were refactored to avoid ARM-TTK lint failures that were blocking the Sentinel solution validation pipeline. A cleanup to an Analytic Rule was also included.

Hunting Queries refactored (version 1.0.0 to 1.0.1):

• Potential OAuth phishing email delivered into Inbox.yaml – URL list for OAuth consent endpoint detection rebuilt via strcat() instead of inline literals.
• Possible device code phishing attempts.yaml – device-code URL targets moved into a pack_array let-binding using strcat().

Analytic Rule cleanup (version 1.1.2 to 1.1.3):

• PossibleWebpBufferOverflow.yaml – empty groupByAlertDetails and groupByCustomDetails arrays removed, resolving a separate ARM-TTK Template Should Not Contain Blanks failure.

CI/KQL validation:

• SkipValidationsTemplates.json updated to exempt Possible device code phishing attempts.yaml from the KQL schema validator – AADSignInEventsBeta is a Microsoft Defender XDR advanced hunting beta table absent from the validator schema.

Solution bumped 3.0.14 to 3.0.15.

Detection Logic

Potential OAuth phishing email delivered into Inbox

• Table: EmailUrlInfo, joined to EmailEvents
• Logic: Builds an allow-list of OAuth consent endpoint URL fragments for both login.microsoftonline.com and login.microsoftonline.us (common/consumers/organizations tenants), then filters for inbound emails with those URLs that were delivered.
• Runtime behaviour unchanged – strcat() reconstruction produces the same URL strings at query time.

Possible device code phishing attempts

• Tables: UrlClickEvents, AADSignInEventsBeta, EmailEvents
• Logic: Flags users who clicked a device-code auth URL (microsoft.com/devicelogin or the OAuth2 deviceauth endpoint) and subsequently exhibited a risky sign-in within a short window, correlated against email delivery.
• Runtime behaviour unchanged – has_any(DeviceLoginUrls) with a pack_array let-binding is semantically equivalent to the prior inline string list.

MITRE Mapping

• T1566 – Phishing (both hunting queries explicitly map to this technique via relevantTechniques)

Data Fidelity Note

These were not broken detections producing incorrect results – they were queries that could not be deployed via the packaged ARM template because the ARM-TTK linter rejected the literal login.microsoftonline.com hostname strings as disallowed hardcoded URIs. Any environment relying on the Content Hub solution package at 3.0.14 to install or update these queries would have experienced a pipeline/deployment failure, not a logic failure. The queries themselves were functionally correct; the fix restores deployability without altering detection coverage.

Affected Files

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml
(packaging artefacts: 3.0.15.zip, ReleaseNotes.md, Solution_Microsoft Defender XDR.json, mainTemplate.json)