{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-azure-active-directory-api/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID","Microsoft Graph","Windows Azure Active Directory API","Microsoft 365"],"_cs_severities":["medium"],"_cs_tags":["entra_id","oauth","phishing","initial_access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are exploiting the trust associated with first-party Microsoft applications within Entra ID to perform OAuth phishing campaigns, such as ConsentFix. These applications, belonging to the Family of Client IDs (FOCI), are pre-consented and cannot be blocked, making them ideal for bypassing consent prompts and gaining unauthorized access. The attackers phish users into granting these applications access to sensitive resources like Microsoft Graph or the deprecated Windows Azure Active Directory API. This access is then used to steal authorization codes and exchange them for tokens from attacker infrastructure. This activity was observed starting in early 2025 with ongoing campaigns in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a phishing email targeting a user, enticing them to click a malicious link.\u003c/li\u003e\n\u003cli\u003eThe link redirects the user to a legitimate Microsoft login page, pre-populated with a first-party Microsoft application (e.g., Azure CLI, Visual Studio Code, Azure PowerShell).\u003c/li\u003e\n\u003cli\u003eThe user is prompted to grant the application permissions to access resources like Microsoft Graph or Windows Azure Active Directory.\u003c/li\u003e\n\u003cli\u003eThe user grants consent, unknowingly providing the attacker with an authorization code.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the authorization code and exchanges it for an access token using their own infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen access token to access the user's data and resources via Microsoft Graph or Windows Azure Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive data, such as emails, files, or Teams messages.\u003c/li\u003e\n\u003cli\u003eThe attacker may also register devices or create new accounts for persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful OAuth phishing attacks can lead to unauthorized access to sensitive data, including emails, files, and other resources stored within Microsoft 365. Organizations may experience data breaches, financial losses, and reputational damage. The widespread nature of Microsoft 365 means that any organization relying on these services is potentially vulnerable. While the specific number of victims is not detailed, the references suggest widespread campaigns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEntra ID OAuth Phishing via First-Party Microsoft Application - Developer Tools\u003c/code\u003e to detect suspicious sign-in activity involving developer tools accessing Microsoft Graph or legacy Azure AD (rule provided below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEntra ID OAuth Phishing via First-Party Microsoft Application - Legacy AAD\u003c/code\u003e to detect any FOCI application accessing the deprecated Windows Azure Active Directory resource (rule provided below).\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eazure.signinlogs.properties.user_principal_name\u003c/code\u003e and \u003ccode\u003esource.ip\u003c/code\u003e for geographic anomalies as detailed in the \u0026quot;Triage and analysis\u0026quot; section of the rule description.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to restrict OAuth flows for these applications to compliant devices only.\u003c/li\u003e\n\u003cli\u003eEducate users about OAuth phishing and the risks of pasting authorization codes into websites.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-entra-id-oauth-phishing/","summary":"Attackers are leveraging first-party Microsoft applications in Entra ID to conduct OAuth phishing attacks, bypassing traditional consent prompts and accessing sensitive resources like Microsoft Graph and legacy Azure AD.","title":"Entra ID OAuth Phishing via First-Party Microsoft Application","url":"https://feed.craftedsignal.io/briefs/2024-01-09-entra-id-oauth-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed - Windows Azure Active Directory API","version":"https://jsonfeed.org/version/1.1"}