<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Windows Azure Active Directory API - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/windows-azure-active-directory-api/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/windows-azure-active-directory-api/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID OAuth Phishing via First-Party Microsoft Application</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-entra-id-oauth-phishing/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-entra-id-oauth-phishing/</guid><description>Attackers are leveraging first-party Microsoft applications in Entra ID to conduct OAuth phishing attacks, bypassing traditional consent prompts and accessing sensitive resources like Microsoft Graph and legacy Azure AD.</description><content:encoded><![CDATA[<p>Attackers are exploiting the trust associated with first-party Microsoft applications within Entra ID to perform OAuth phishing campaigns, such as ConsentFix. These applications, belonging to the Family of Client IDs (FOCI), are pre-consented and cannot be blocked, making them ideal for bypassing consent prompts and gaining unauthorized access. The attackers phish users into granting these applications access to sensitive resources like Microsoft Graph or the deprecated Windows Azure Active Directory API. This access is then used to steal authorization codes and exchange them for tokens from attacker infrastructure. This activity was observed starting in early 2025 with ongoing campaigns in 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a phishing email targeting a user, enticing them to click a malicious link.</li>
<li>The link redirects the user to a legitimate Microsoft login page, pre-populated with a first-party Microsoft application (e.g., Azure CLI, Visual Studio Code, Azure PowerShell).</li>
<li>The user is prompted to grant the application permissions to access resources like Microsoft Graph or Windows Azure Active Directory.</li>
<li>The user grants consent, unknowingly providing the attacker with an authorization code.</li>
<li>The attacker intercepts the authorization code and exchanges it for an access token using their own infrastructure.</li>
<li>The attacker uses the stolen access token to access the user's data and resources via Microsoft Graph or Windows Azure Active Directory.</li>
<li>The attacker may exfiltrate sensitive data, such as emails, files, or Teams messages.</li>
<li>The attacker may also register devices or create new accounts for persistence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful OAuth phishing attacks can lead to unauthorized access to sensitive data, including emails, files, and other resources stored within Microsoft 365. Organizations may experience data breaches, financial losses, and reputational damage. The widespread nature of Microsoft 365 means that any organization relying on these services is potentially vulnerable. While the specific number of victims is not detailed, the references suggest widespread campaigns.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Entra ID OAuth Phishing via First-Party Microsoft Application - Developer Tools</code> to detect suspicious sign-in activity involving developer tools accessing Microsoft Graph or legacy Azure AD (rule provided below).</li>
<li>Deploy the Sigma rule <code>Entra ID OAuth Phishing via First-Party Microsoft Application - Legacy AAD</code> to detect any FOCI application accessing the deprecated Windows Azure Active Directory resource (rule provided below).</li>
<li>Review <code>azure.signinlogs.properties.user_principal_name</code> and <code>source.ip</code> for geographic anomalies as detailed in the &quot;Triage and analysis&quot; section of the rule description.</li>
<li>Implement Conditional Access policies to restrict OAuth flows for these applications to compliant devices only.</li>
<li>Educate users about OAuth phishing and the risks of pasting authorization codes into websites.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>entra_id</category><category>oauth</category><category>phishing</category><category>initial_access</category></item></channel></rss>