Microsoft 365: Attack Tool User Agents

There is no shortage of tools available for enumerating the users in a Microsoft 365 tenant (AKA Office365) and testing password security. But what do these 'attack tools' look like from a blue team perspective and what can you do to alert yourself of their use.

This blog lists the User Agents used by specific attack tools (in their default settings) as recorded in both the Security Center's Unified Audit Logs (UAL) and the Defender for Cloud Apps Activity Log.

M365 Attack Tool User Agents


UAL: python-requests/2.25.1

Activity Log: ;;Python Requests 2


UAL: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0

Activity Log: Mac OS X 10;Firefox 69.0


UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36

Activity Log: PC, Windows 10 10, Chrome 94.0


UAL: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

Activity Log: Windows 7;IE 10.0


UAL: python-requests/2.25.1

Activity Log: ;;Python Requests 2.25

PowerShell (Connect-ExchangeOnline)

UAL: Other

Activity Log: ;;Rich Client;

TeamFiltration V3.3

UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763

Activity Log: ;Windows 10;Edge 18.17763;

TeamFiltration V3.5

UAL: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/ Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36

Activity Log: ;Windows 10;Chrome 80.0.3987


I have observed the User Agent "BAV2ROPC" in brute-force attempts and password spraying activity. BAV2ROPC's appearance is likely is determined by the use of legacy clients and authentication such as IMAP.

Whilst I wasn't able to find any specific documentation for it, I figured BAV2ROPC is an acronym for "Basic Authentication Version OAuth2 Resource Owner Password Credentials".

It is worth noting though, the User Agent itself is not necessarily an indication of attack. From my experience the User Agent "BAV2ROPC" is also often noted for legitimate logons by legacy clients using legacy authentication (typically service accounts).

You should be able to identify pretty quickly if the authentication is legitimate or not through IP geolocation, reputation etc. but also be on the lookout for multiple 'UserLoginfailed' operations which are followed by a 'UserLoggedIn' operation involving the UserAgent.

See below for some screenshots of what BAV2ROPC authentication activity looks like in the UAL and Azure Active Directory Sign-In Logs.

BAV2ROPC UserLoginFailed Operation in the UAL

BAV2ROPC UserLoggedIn Operation in the UAL

BAV2ROPC in Azure Active Directory Sign-in Logs

BAV2ROPC in Azure Active Directory Sign-in Logs

'Passive' User Enumeration

Whilst not truly passive, some tools can enumerate users in a Microsoft 365 tenant without entering a password. This is done by looking at the codes returned by Microsoft infrastructure when entering a username. 

When using these user enumeration techniques, as a password isn't entered the event is not recorded as a failed logon attempt in the tenant logs. This technique is used by tools such as O365Creeper but it can also be performed with BurpSuite.

Creating Activity Policy

Defender for Cloud Apps offers you a chance to spot some of this activity by alerting on the use of 'suspicious User Agents'.

To do so, Create an Activity Policy based of the "Activities from suspicious user agents" policy template and add the User Agents you'd like to treat as suspicious which can hopefully give you the heads up on tenant scanning.