That Android 6 Login? It Was Actually Windows 10.
Why anomalous user agent strings can be misleading
In the same spirit as our past posts on SharePoint and Teams quirks, here’s another surprise from the Microsoft APIs—this time from a fan favorite: user agent strings.
Let’s dive in.
A Strange User Agent String
We were reviewing login activity for a user who typically uses Windows 10 when something weird popped up: a user agent string claiming the login came from Android 6.0.
Turns out it wasn’t actually Android 6.
It was the user logging in from their normal Windows laptop - same device and IP address.
But, something caused that erroneous Android 6 user agent and made it look much more suspicious than it actually was.
So, what could have caused it?
What We Typically See For This User
Device Properties:
[
{"Name": "DisplayName", "Value": "Max-XYZ"},
{"Name": "OS", "Value": "Windows10"},
{"Name": "BrowserType", "Value": "Edge"}
]Extended Properties:
[
{"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0 OneOutlook/1.2025.219.400"}
]No surprises here. This is a registered Windows 10 device running Edge, and the user agent string confirms the OS as Windows NT 10.0.
The Suspicious Login
Device Properties:
[
{"Name": "DisplayName", "Value": "Max-XYZ"},
{"Name": "OS", "Value": "Windows"},
{"Name": "BrowserType", "Value": "Edge"}
]Extended Properties:
[
{"Name": "UserAgent", "Value": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Mobile Safari/537.36 Edg/134.0.0.0"}
]Same device name. Still marked as Windows. Still using Edge. But now the user agent says Android 6.0?
So... which do we trust?
What’s Actually Going On?
We saw this pattern repeat across multiple users.
The common factor?
AppId: c0ab8ce9-e9a0-42e7-b064-33d422df41f1 (M365 Chat Client)Whatever the reason for this quirk with M365 Chat Client, it’s easy to mistake this for an attack.
Takeaway: User Agent Anomalies Aren’t a Silver Bullet
It's tempting to treat rare user agents as strong indicators of compromise.
And sometimes—like a first-time axios login from a weird IP—that's fair.
But in Microsoft environments, weird telemetry isn’t always an attack.
This was a normal user, on their normal device, using a Microsoft app. The Android 6 user agent was just noise.
This is why it’s crucial to treat user agents as one signal, not the whole story.
This won’t be the last time Microsoft logs behave in ways that are easy to misinterpret.
—
If you’re looking for ways to level up your Microsoft defenses, email me at [first name] [at] petrasecurity.com so we can set up some time to chat at RSA.