O365 Application Available To Other Tenants
An Azure Active Directory Application is configured to allow authentication from external tenants or personal accounts, potentially leading to unauthorized access to data or capabilities.
This detection identifies Azure Active Directory Applications configured in a way that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access to any data or capabilities the application is authorized to access. This poses a significant risk, as threat actors can exploit this misconfiguration to gain unauthorized access to sensitive resources within the targeted organization's O365 environment. The detection leverages the O365 Universal Audit Log data source to monitor changes to application settings, specifically the 'AvailableToOtherTenants' property. This analytic is based on a Splunk ES-CU detection and can be adapted to other platforms. The Microsoft guidance released in March 2023 highlights the risks associated with such misconfigurations, emphasizing the importance of detecting and remediating these issues promptly.
Attack Chain
- An attacker identifies an Azure Active Directory application within the target organization.
- The attacker discovers that the application is configured to allow authentication from external tenants ('AvailableToOtherTenants' is set to true).
- The attacker registers a malicious application within their own Azure tenant.
- The attacker configures their malicious application to request permissions to access resources within the target organization's environment, leveraging the misconfigured application.
- A user within the target organization is tricked into granting consent to the attacker's malicious application.
- The attacker's application gains access to the target organization's resources, such as data stored in SharePoint or Exchange Online.
- The attacker exfiltrates sensitive data or performs other malicious actions, such as creating new accounts or modifying existing configurations.
Impact
A successful attack can lead to unauthorized access to sensitive data, including confidential documents, financial records, and personal information. The impact can range from data breaches and financial losses to reputational damage and legal liabilities. The number of affected users and the extent of the damage will depend on the permissions granted to the misconfigured application and the resources it has access to. Given the widespread use of Azure Active Directory and the potential for misconfiguration, this threat poses a significant risk to organizations of all sizes and across various sectors.
Recommendation
- Deploy the Sigma rule
O365 Application Available To Other Tenantsto your SIEM and tune for your environment to detect when the 'AvailableToOtherTenants' property is enabled for an application. - Review Azure Active Directory application configurations to identify and remediate any applications that are configured to allow authentication from external tenants.
- Implement strict consent policies to prevent users from granting access to unauthorized applications.
- Monitor the O365 Universal Audit Log data source for suspicious activity related to Azure Active Directory applications.
- Investigate any alerts generated by the
O365 Application Available To Other Tenantsrule and take appropriate remediation actions.
Detection coverage 2
O365 Application Available To Other Tenants
highDetects when an O365 application is configured to be available to other tenants.
O365 Application Consent Grant to External Tenant
mediumDetects when consent is granted to an application from an external tenant.
Detection queries are available on the platform. Get full rules →