Skip to content
Threat Feed
high advisory

O365 Application Available To Other Tenants

An Azure Active Directory Application is configured to allow authentication from external tenants or personal accounts, potentially leading to unauthorized access to data or capabilities.

This detection identifies Azure Active Directory Applications configured in a way that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access to any data or capabilities the application is authorized to access. This poses a significant risk, as threat actors can exploit this misconfiguration to gain unauthorized access to sensitive resources within the targeted organization's O365 environment. The detection leverages the O365 Universal Audit Log data source to monitor changes to application settings, specifically the 'AvailableToOtherTenants' property. This analytic is based on a Splunk ES-CU detection and can be adapted to other platforms. The Microsoft guidance released in March 2023 highlights the risks associated with such misconfigurations, emphasizing the importance of detecting and remediating these issues promptly.

Attack Chain

  1. An attacker identifies an Azure Active Directory application within the target organization.
  2. The attacker discovers that the application is configured to allow authentication from external tenants ('AvailableToOtherTenants' is set to true).
  3. The attacker registers a malicious application within their own Azure tenant.
  4. The attacker configures their malicious application to request permissions to access resources within the target organization's environment, leveraging the misconfigured application.
  5. A user within the target organization is tricked into granting consent to the attacker's malicious application.
  6. The attacker's application gains access to the target organization's resources, such as data stored in SharePoint or Exchange Online.
  7. The attacker exfiltrates sensitive data or performs other malicious actions, such as creating new accounts or modifying existing configurations.

Impact

A successful attack can lead to unauthorized access to sensitive data, including confidential documents, financial records, and personal information. The impact can range from data breaches and financial losses to reputational damage and legal liabilities. The number of affected users and the extent of the damage will depend on the permissions granted to the misconfigured application and the resources it has access to. Given the widespread use of Azure Active Directory and the potential for misconfiguration, this threat poses a significant risk to organizations of all sizes and across various sectors.

Recommendation

  • Deploy the Sigma rule O365 Application Available To Other Tenants to your SIEM and tune for your environment to detect when the 'AvailableToOtherTenants' property is enabled for an application.
  • Review Azure Active Directory application configurations to identify and remediate any applications that are configured to allow authentication from external tenants.
  • Implement strict consent policies to prevent users from granting access to unauthorized applications.
  • Monitor the O365 Universal Audit Log data source for suspicious activity related to Azure Active Directory applications.
  • Investigate any alerts generated by the O365 Application Available To Other Tenants rule and take appropriate remediation actions.

Detection coverage 2

O365 Application Available To Other Tenants

high

Detects when an O365 application is configured to be available to other tenants.

sigma tactics: persistence techniques: T1098.003 sources: o365, o365

O365 Application Consent Grant to External Tenant

medium

Detects when consent is granted to an application from an external tenant.

sigma tactics: credential_access techniques: T1535 sources: o365, o365

Detection queries are available on the platform. Get full rules →