Skip to content
Threat Feed
medium advisory

Entra ID OAuth Phishing via First-Party Microsoft Application

Attackers are leveraging first-party Microsoft applications in Entra ID to conduct OAuth phishing attacks, bypassing traditional consent prompts and accessing sensitive resources like Microsoft Graph and legacy Azure AD.

Attackers are exploiting the trust associated with first-party Microsoft applications within Entra ID to perform OAuth phishing campaigns, such as ConsentFix. These applications, belonging to the Family of Client IDs (FOCI), are pre-consented and cannot be blocked, making them ideal for bypassing consent prompts and gaining unauthorized access. The attackers phish users into granting these applications access to sensitive resources like Microsoft Graph or the deprecated Windows Azure Active Directory API. This access is then used to steal authorization codes and exchange them for tokens from attacker infrastructure. This activity was observed starting in early 2025 with ongoing campaigns in 2026.

Attack Chain

  1. Attacker crafts a phishing email targeting a user, enticing them to click a malicious link.
  2. The link redirects the user to a legitimate Microsoft login page, pre-populated with a first-party Microsoft application (e.g., Azure CLI, Visual Studio Code, Azure PowerShell).
  3. The user is prompted to grant the application permissions to access resources like Microsoft Graph or Windows Azure Active Directory.
  4. The user grants consent, unknowingly providing the attacker with an authorization code.
  5. The attacker intercepts the authorization code and exchanges it for an access token using their own infrastructure.
  6. The attacker uses the stolen access token to access the user's data and resources via Microsoft Graph or Windows Azure Active Directory.
  7. The attacker may exfiltrate sensitive data, such as emails, files, or Teams messages.
  8. The attacker may also register devices or create new accounts for persistence.

Impact

Successful OAuth phishing attacks can lead to unauthorized access to sensitive data, including emails, files, and other resources stored within Microsoft 365. Organizations may experience data breaches, financial losses, and reputational damage. The widespread nature of Microsoft 365 means that any organization relying on these services is potentially vulnerable. While the specific number of victims is not detailed, the references suggest widespread campaigns.

Recommendation

  • Deploy the Sigma rule Entra ID OAuth Phishing via First-Party Microsoft Application - Developer Tools to detect suspicious sign-in activity involving developer tools accessing Microsoft Graph or legacy Azure AD (rule provided below).
  • Deploy the Sigma rule Entra ID OAuth Phishing via First-Party Microsoft Application - Legacy AAD to detect any FOCI application accessing the deprecated Windows Azure Active Directory resource (rule provided below).
  • Review azure.signinlogs.properties.user_principal_name and source.ip for geographic anomalies as detailed in the "Triage and analysis" section of the rule description.
  • Implement Conditional Access policies to restrict OAuth flows for these applications to compliant devices only.
  • Educate users about OAuth phishing and the risks of pasting authorization codes into websites.

Detection coverage 2

Entra ID OAuth Phishing via First-Party Microsoft Application - Developer Tools

medium

Detects potentially suspicious OAuth authorization activity where developer tools (Azure CLI, VSCode, PowerShell) access Microsoft Graph or legacy Azure AD resources.

sigma tactics: initial_access techniques: T1078.004, T1566.002 sources: network_connection, azure

Entra ID OAuth Phishing via First-Party Microsoft Application - Legacy AAD

high

Detects any FOCI application accessing the deprecated Windows Azure Active Directory resource.

sigma tactics: initial_access techniques: T1078.004, T1566.002 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →