Azure AD User Consent Blocked for Risky Application
Azure AD blocked a user's attempt to grant consent to a risky application, indicating potential OAuth abuse and requiring investigation of the user and application involved.
This analytic identifies instances where Azure Active Directory (Azure AD) has automatically blocked a user's attempt to grant consent to an application flagged as risky. The detection focuses on the "Consent to application" operation within Azure AD audit logs, specifically looking for system-driven block events. This automated blocking mechanism is a crucial defense against malicious OAuth applications attempting to gain unauthorized access to organizational data. Early detection of these blocked consent attempts allows security teams to investigate potentially compromised user accounts and identify malicious applications targeting their organization. The observed activity highlights Azure's proactive security measures and emphasizes the need for immediate investigation to understand the context and take preventive measures against sophisticated consent phishing attacks, particularly those leveraging techniques similar to the 365-Stealer.
Attack Chain
- Attacker registers a malicious OAuth application in Azure AD.
- The attacker crafts a phishing email or uses other social engineering methods to lure a target user into clicking a malicious link.
- The link redirects the user to the Azure AD consent page for the attacker's malicious application.
- The user, if not cautious, is prompted to grant the application permissions to access their account and data.
- Azure AD's risk analysis engine detects that the application is risky based on various factors (e.g., publisher reputation, requested permissions).
- Azure AD blocks the user's attempt to grant consent to the application.
- The event is logged in the Azure AD audit logs with a "failure" result and a reason indicating "Risky application detected".
- Security team investigates the blocked consent attempt, the user involved, and the characteristics of the flagged application.
Impact
A successful consent phishing attack can lead to the compromise of user accounts, data exfiltration, and further malicious activities within the organization. While Azure AD's blocking mechanism prevents immediate compromise, repeated attempts or successful circumvention could lead to significant damage. This detection helps identify users who are being targeted and applications that are attempting to infiltrate the organization, reducing the potential for widespread damage.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune it for your specific Azure AD environment to detect blocked consent attempts for risky applications (
rules). - Investigate any triggered alerts by examining the user, application, and requested permissions involved to determine the potential impact (
search). - Review Azure AD Identity Protection settings to ensure that risk-based consent policies are properly configured and blocking risky applications (
references). - Educate users about the risks of granting consent to unfamiliar applications and how to identify potentially malicious requests (
references).
Detection coverage 2
Azure AD User Consent Blocked for Risky Application
mediumDetects instances where Azure AD has blocked a user's attempt to grant consent to a risky application.
Azure AD Consent to Application with Risky Permissions
lowDetects instances of consent to applications requesting high-risk permissions in Azure AD.
Detection queries are available on the platform. Get full rules →