Skip to content
Threat Feed
medium advisory

Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource

Detects the first-time use of an OAuth 2.0 authorization code grant flow for a specific combination of user, application, and resource in Microsoft Entra ID, potentially indicating OAuth phishing attacks like ConsentFix, where attackers steal authorization codes.

This detection identifies unusual OAuth 2.0 authorization code grant flows in Microsoft Entra ID, specifically focusing on first-time combinations of user, client application, and target resource. It aims to detect potential OAuth phishing attacks, such as ConsentFix, where attackers steal authorization codes and exchange them for tokens from attacker-controlled infrastructure. The detection highlights scenarios where developer tools like Azure CLI, Visual Studio Code, and Azure PowerShell are used by a user to access Microsoft Graph or legacy Azure AD for the first time. It also flags cases where FOCI (Family of Client IDs) applications access the deprecated Windows Azure Active Directory. The rule covers activity starting from 9 months prior to the update on April 10th, 2026. This is critical for defenders because successful exploitation can lead to unauthorized access to sensitive resources and data exfiltration.

Attack Chain

  1. The attacker sends a phishing email containing a malicious link or attachment to the victim.
  2. The victim clicks the link and is redirected to a legitimate-looking Microsoft login page or is tricked into opening the attachment.
  3. The attacker crafts a malicious OAuth application and tricks the user into granting consent.
  4. The victim is prompted to authorize the malicious application to access their resources.
  5. If the victim grants consent, the attacker steals the authorization code.
  6. The attacker exchanges the stolen authorization code for an access token using attacker-controlled infrastructure.
  7. The attacker uses the stolen access token to access protected resources within the victim's Entra ID environment.
  8. The attacker performs actions such as reading emails, accessing files, or exfiltrating data, masquerading as the legitimate user.

Impact

A successful OAuth phishing attack can compromise user accounts, lead to data breaches, and provide attackers with persistent access to sensitive resources. The number of victims is dependent on the scope of the phishing campaign. Targeted sectors include any organization using Microsoft Entra ID and OAuth applications. Failure to detect and remediate these attacks can result in significant financial losses, reputational damage, and legal liabilities. The pushsecurity.com blog highlights the ConsentFix attack, demonstrating the real-world impact of OAuth phishing.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect unusual OAuth authorization code grant flows in Entra ID based on the azure.signinlogs dataset.
  • Investigate alerts generated by the Sigma rule by examining the azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.app_display_name, and azure.signinlogs.properties.resource_id to identify potentially compromised accounts and applications.
  • Implement Conditional Access policies in Entra ID to restrict OAuth flows for high-risk applications and users, as suggested in the remediation steps of the referenced Elastic rule.
  • Monitor azure.signinlogs.properties.session_id for correlations with suspicious activity.
  • Revoke refresh tokens immediately for any user identified as compromised through this activity to prevent further unauthorized access as outlined in the triage and analysis notes.
  • Use a combination of source IPs and geolocation to block known malicious or suspicious login points by monitoring source.ip and source.geo.* values.

Detection coverage 2

Entra ID OAuth Unusual App Resource User Combination

medium

Detects the first occurrence of OAuth authorization code grant flow for a specific user, app, and resource combination.

sigma tactics: initial_access techniques: T1566 sources: network_connection, azure

Entra ID OAuth Access to Legacy AAD by Unusual App

medium

Detects OAuth access to deprecated Windows Azure Active Directory by applications that are not normally associated with this resource.

sigma tactics: initial_access techniques: T1566 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →