{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/consent-phishing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["o365","azuread","oauth","consent-phishing","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on the disabling of the \u0026quot;risk-based step-up consent\u0026quot; feature within Microsoft 365. When enabled, this feature requires additional authorization steps for users attempting to grant permissions to applications deemed risky by Microsoft. Attackers can exploit user consent to gain access to sensitive data. By disabling this control, adversaries can potentially trick users into granting permissions to malicious applications without triggering additional security checks, effectively bypassing a critical defense mechanism. This can lead to account takeover and data exfiltration. The activity is logged within Azure Active Directory and can be identified by changes to the 'AllowUserConsentForRiskyApps' setting.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an administrator account, potentially through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure Active Directory admin portal.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Enterprise applications settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the authorization policy using the \u0026quot;Update authorization policy\u0026quot; operation.\u003c/li\u003e\n\u003cli\u003eSpecifically, the attacker changes the \u0026quot;AllowUserConsentForRiskyApps\u0026quot; setting from \u0026quot;true\u0026quot; to \u0026quot;false\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThis change disables the risk-based step-up consent feature, lowering the threshold for application consent.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses social engineering or other phishing techniques to trick users into granting consent to a malicious OAuth application.\u003c/li\u003e\n\u003cli\u003eUpon successful consent, the attacker gains access to user data and other resources authorized by the user, leading to data theft or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling risk-based step-up consent can significantly broaden the attack surface within an organization's Microsoft 365 environment. Successful exploitation can lead to widespread data breaches, impacting potentially thousands of users. This can lead to regulatory fines, legal liabilities, and significant reputational damage. The lack of step-up consent increases the likelihood of successful OAuth phishing attacks, which are becoming increasingly prevalent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Sysmon config and ingest O365 management activity events to allow for proper detection coverage.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Block User Consent For Risky Apps Disabled\u003c/code\u003e in your SIEM to detect instances where the \u0026quot;risk-based step-up consent\u0026quot; setting is disabled.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of this setting being disabled, focusing on the user (\u003ccode\u003euser\u003c/code\u003e field in the logs) who made the change and the context surrounding the event.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks associated with granting application consent and how to identify potentially malicious applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-risky-consent/","summary":"The disabling of the 'risk-based step-up consent' security setting in Microsoft 365 allows users to grant consent to potentially malicious applications, increasing the risk of OAuth phishing and unauthorized access to sensitive data.","title":"O365 Risk-Based Consent Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-risky-consent/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","oauth","consent-phishing","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis analytic identifies instances where Azure Active Directory (Azure AD) has automatically blocked a user's attempt to grant consent to an application flagged as risky. The detection focuses on the \u0026quot;Consent to application\u0026quot; operation within Azure AD audit logs, specifically looking for system-driven block events. This automated blocking mechanism is a crucial defense against malicious OAuth applications attempting to gain unauthorized access to organizational data. Early detection of these blocked consent attempts allows security teams to investigate potentially compromised user accounts and identify malicious applications targeting their organization. The observed activity highlights Azure's proactive security measures and emphasizes the need for immediate investigation to understand the context and take preventive measures against sophisticated consent phishing attacks, particularly those leveraging techniques similar to the 365-Stealer.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers a malicious OAuth application in Azure AD.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a phishing email or uses other social engineering methods to lure a target user into clicking a malicious link.\u003c/li\u003e\n\u003cli\u003eThe link redirects the user to the Azure AD consent page for the attacker's malicious application.\u003c/li\u003e\n\u003cli\u003eThe user, if not cautious, is prompted to grant the application permissions to access their account and data.\u003c/li\u003e\n\u003cli\u003eAzure AD's risk analysis engine detects that the application is risky based on various factors (e.g., publisher reputation, requested permissions).\u003c/li\u003e\n\u003cli\u003eAzure AD blocks the user's attempt to grant consent to the application.\u003c/li\u003e\n\u003cli\u003eThe event is logged in the Azure AD audit logs with a \u0026quot;failure\u0026quot; result and a reason indicating \u0026quot;Risky application detected\u0026quot;.\u003c/li\u003e\n\u003cli\u003eSecurity team investigates the blocked consent attempt, the user involved, and the characteristics of the flagged application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful consent phishing attack can lead to the compromise of user accounts, data exfiltration, and further malicious activities within the organization. While Azure AD's blocking mechanism prevents immediate compromise, repeated attempts or successful circumvention could lead to significant damage. This detection helps identify users who are being targeted and applications that are attempting to infiltrate the organization, reducing the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it for your specific Azure AD environment to detect blocked consent attempts for risky applications (\u003ccode\u003erules\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts by examining the user, application, and requested permissions involved to determine the potential impact (\u003ccode\u003esearch\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview Azure AD Identity Protection settings to ensure that risk-based consent policies are properly configured and blocking risky applications (\u003ccode\u003ereferences\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of granting consent to unfamiliar applications and how to identify potentially malicious requests (\u003ccode\u003ereferences\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-risky-consent/","summary":"Azure AD blocked a user's attempt to grant consent to a risky application, indicating potential OAuth abuse and requiring investigation of the user and application involved.","title":"Azure AD User Consent Blocked for Risky Application","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azuread-risky-consent/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure AD"],"_cs_severities":["medium"],"_cs_tags":["azure","oauth","consent-phishing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where a user has denied consent to an OAuth application within an Azure AD environment. The rule specifically looks for Azure AD sign-in activity events with error code 65004, which indicates that a user has denied consent to an OAuth application. Monitoring these denied consent actions is crucial because it can signify that users are recognizing potentially suspicious or untrusted applications. A successful attack leveraging malicious OAuth applications can lead to data breaches, unauthorized actions, and compromised email servers. Several resources detail this threat, including Microsoft's guidance on protecting against consent phishing and Altered Security's analysis of 365 Stealer. Detecting and understanding these denials helps defenders refine security policies and enhance user awareness to prevent successful OAuth attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers a malicious OAuth application in Azure AD.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a phishing email or uses other social engineering methods to trick a user into visiting a malicious link.\u003c/li\u003e\n\u003cli\u003eThe link directs the user to the legitimate Azure AD consent page for the malicious application.\u003c/li\u003e\n\u003cli\u003eThe application requests permissions, such as access to email, contacts, or files.\u003c/li\u003e\n\u003cli\u003eThe user, recognizing the suspicious nature of the application or requested permissions, denies consent. The \u003ccode\u003eproperties.status.errorCode\u003c/code\u003e field will contain the value \u003ccode\u003e65004\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Azure AD sign-in activity logs record the denied consent event, capturing details about the application, user, and permissions requested.\u003c/li\u003e\n\u003cli\u003eThe security team analyzes the denied consent event to determine if it represents a legitimate user concern or a potential attack.\u003c/li\u003e\n\u003cli\u003eBased on the analysis, security policies are updated, and user awareness training is refined to prevent future attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful OAuth application attack can grant unauthorized access to sensitive data, including emails, contacts, and files stored within the victim's Azure AD environment. Depending on the permissions requested by the attacker, they may be able to impersonate the user, send emails on their behalf, or modify data. While this detection focuses on \u003cem\u003edenied\u003c/em\u003e consent attempts, understanding the frequency and context of these denials helps proactively identify and block potentially malicious OAuth applications before they can be successfully deployed. A compromised user account through malicious OAuth applications can lead to significant data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eAzure AD User Denied OAuth Consent\u003c/code\u003e to your SIEM and tune it based on your environment to detect potential malicious OAuth application usage in your Azure AD environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eAzure AD User Denied OAuth Consent\u003c/code\u003e rule to determine if the denied consent event is legitimate or indicative of a potential attack.\u003c/li\u003e\n\u003cli\u003eReview and update Azure AD OAuth application consent policies to minimize the risk of users granting consent to malicious applications, as referenced in the Microsoft documentation on protecting against consent phishing.\u003c/li\u003e\n\u003cli\u003eUse the references on 365 Stealer and malicious OAuth applications to improve threat intelligence and user awareness training programs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-user-consent-denied/","summary":"This analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Azure AD environment, potentially indicating malicious OAuth application activity.","title":"Azure AD User Consent Denied for OAuth Application","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-user-consent-denied/"}],"language":"en","title":"CraftedSignal Threat Feed - Consent-Phishing","version":"https://jsonfeed.org/version/1.1"}