In the same spirit as our past posts on SharePoint and Teams quirks, here’s another surprise from the Microsoft APIs—this time from a fan favorite: user agent strings.

Let’s dive in.

‍

A Strange User Agent String

We were reviewing login activity for a user who typically uses Windows 10 when something weird popped up: a user agent string claiming the login came from Android 6.0.

Turns out it wasn’t actually Android 6.

It was the user logging in from their normal Windows laptop - same device and IP address.

But, something caused that erroneous Android 6 user agent and made it look much more suspicious than it actually was.

So, what could have caused it?

‍

What We Typically See For This User

Device Properties:

‍‍

[
 {"Name": "DisplayName", "Value": "Max-XYZ"},
 {"Name": "OS", "Value": "Windows10"},
 {"Name": "BrowserType", "Value": "Edge"}
]Extended Properties:

[
 {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0 OneOutlook/1.2025.219.400"}
]

‍

No surprises here. This is a registered Windows 10 device running Edge, and the user agent string confirms the OS as Windows NT 10.0.

‍

The Suspicious Login

Device Properties:‍

‍

[
 {"Name": "DisplayName", "Value": "Max-XYZ"},
 {"Name": "OS", "Value": "Windows"},
 {"Name": "BrowserType", "Value": "Edge"}
]Extended Properties:

[
 {"Name": "UserAgent", "Value": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Mobile Safari/537.36 Edg/134.0.0.0"}
]

‍

Same device name. Still marked as Windows. Still using Edge. But now the user agent says Android 6.0?

So... which do we trust?

‍

What’s Actually Going On?

We saw this pattern repeat across multiple users.

The common factor?

‍

AppId: c0ab8ce9-e9a0-42e7-b064-33d422df41f1 (M365 Chat Client)

‍

Whatever the reason for this quirk with M365 Chat Client, it’s easy to mistake this for an attack.

‍

Takeaway: User Agent Anomalies Aren’t a Silver Bullet

It's tempting to treat rare user agents as strong indicators of compromise.

And sometimes—like a first-time axios login from a weird IP—that's fair.

But in Microsoft environments, weird telemetry isn’t always an attack.

This was a normal user, on their normal device, using a Microsoft app. The Android 6 user agent was just noise.

This is why it’s crucial to treat user agents as one signal, not the whole story.

This won’t be the last time Microsoft logs behave in ways that are easy to misinterpret.

—

If you want to stay ahead of these attackers and keep them out of your M365 environments, schedule a demo today.