{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/consent-grant/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Azure Active Directory","Microsoft Entra ID"],"_cs_severities":["medium"],"_cs_tags":["o365","oauth","consent-grant","phishing","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of illicit consent grant attacks within Microsoft 365 environments. These attacks involve adversaries creating and registering malicious applications within Azure Active Directory (Azure AD), now known as Microsoft Entra ID. The attackers then trick users into granting consent to these applications, thereby granting the application permissions to access resources within Microsoft 365, such as mail, profiles, and files. This is typically accomplished through spearphishing campaigns that direct users to a pre-crafted OAuth consent URL. The Elastic detection rule \u0026quot;M365 Identity OAuth Illicit Consent Grant by Rare Client and User\u0026quot; is designed to identify such consent grants by focusing on newly observed combinations of users and client IDs, thus highlighting potentially malicious activity. This activity started being tracked around 2025/03/24, defenders should prioritize detection and remediation of these attacks due to the potential for data exfiltration and account compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Registration:\u003c/strong\u003e The attacker registers a malicious application within Azure AD (Entra ID). This involves creating an application object and defining the permissions it requires.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCrafting the Phishing URL:\u003c/strong\u003e The attacker crafts a spearphishing email containing a malicious OAuth consent URL. This URL is designed to appear legitimate and entice the user to grant consent.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSpearphishing Campaign:\u003c/strong\u003e The attacker sends the spearphishing email to targeted users within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Grants Consent:\u003c/strong\u003e The user, believing the request is legitimate, clicks the link and grants consent to the application. This establishes an OAuth grant.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Accesses Resources:\u003c/strong\u003e The malicious application leverages the granted consent to access resources within Microsoft 365 on behalf of the user, such as mail, files, and profiles.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The application exfiltrates sensitive data from the compromised accounts. This data can be used for further attacks or sold on the black market.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaintaining Persistence:\u003c/strong\u003e The attacker may use the compromised accounts to maintain persistence within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using the initial foothold, the attacker moves laterally to other systems or accounts within the organization to gain broader access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful illicit consent grant attack can lead to widespread data exfiltration, impacting potentially thousands of users depending on the scope of the granted permissions. Targeted sectors include organizations that rely heavily on Microsoft 365 for daily operations, such as financial institutions, healthcare providers, and government agencies. The consequences can range from loss of sensitive data and intellectual property to regulatory fines and reputational damage. The Elastic rule assigns a risk score of 47 to this type of activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect New M365 OAuth Consent Grant\u003c/code\u003e to identify suspicious consent activity based on the \u0026quot;Consent to application.\u0026quot; event action and successful outcome, tuning the threshold as needed to reduce false positives.\u003c/li\u003e\n\u003cli\u003eReview the Microsoft 365 audit logs as described in the rule description by searching for \u003ccode\u003eevent.dataset: \u0026quot;o365.audit\u0026quot;\u003c/code\u003e and \u003ccode\u003eevent.action: \u0026quot;Consent to application.\u0026quot;\u003c/code\u003e to validate potential attacker controlled applications.\u003c/li\u003e\n\u003cli\u003eEnable the Admin consent workflow as outlined in the references to restrict user-granted consent and require administrator approval for high-risk application permissions.\u003c/li\u003e\n\u003cli\u003eRegularly audit existing applications in your environment and revoke consent for any suspicious or unnecessary applications, referencing the investigation steps included in the rule notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-m365-oauth-consent/","summary":"Adversaries may register a malicious application in Microsoft Entra ID and trick users into granting excessive permissions via OAuth consent, allowing the malicious application to access resources in Microsoft 365 on behalf of the user, potentially leading to data exfiltration.","title":"M365 Identity OAuth Illicit Consent Grant by Rare Client and User","url":"https://feed.craftedsignal.io/briefs/2024-01-m365-oauth-consent/"}],"language":"en","title":"CraftedSignal Threat Feed - Consent-Grant","version":"https://jsonfeed.org/version/1.1"}