<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Consent-Phishing - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/consent-phishing/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/consent-phishing/feed.xml" rel="self" type="application/rss+xml"/><item><title>O365 Risk-Based Consent Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-o365-risky-consent/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-o365-risky-consent/</guid><description>The disabling of the 'risk-based step-up consent' security setting in Microsoft 365 allows users to grant consent to potentially malicious applications, increasing the risk of OAuth phishing and unauthorized access to sensitive data.</description><content:encoded><![CDATA[<p>This alert focuses on the disabling of the &quot;risk-based step-up consent&quot; feature within Microsoft 365. When enabled, this feature requires additional authorization steps for users attempting to grant permissions to applications deemed risky by Microsoft. Attackers can exploit user consent to gain access to sensitive data. By disabling this control, adversaries can potentially trick users into granting permissions to malicious applications without triggering additional security checks, effectively bypassing a critical defense mechanism. This can lead to account takeover and data exfiltration. The activity is logged within Azure Active Directory and can be identified by changes to the 'AllowUserConsentForRiskyApps' setting.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an administrator account, potentially through phishing or credential stuffing.</li>
<li>The attacker authenticates to the Azure Active Directory admin portal.</li>
<li>The attacker navigates to the Enterprise applications settings.</li>
<li>The attacker modifies the authorization policy using the &quot;Update authorization policy&quot; operation.</li>
<li>Specifically, the attacker changes the &quot;AllowUserConsentForRiskyApps&quot; setting from &quot;true&quot; to &quot;false&quot;.</li>
<li>This change disables the risk-based step-up consent feature, lowering the threshold for application consent.</li>
<li>The attacker then uses social engineering or other phishing techniques to trick users into granting consent to a malicious OAuth application.</li>
<li>Upon successful consent, the attacker gains access to user data and other resources authorized by the user, leading to data theft or further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Disabling risk-based step-up consent can significantly broaden the attack surface within an organization's Microsoft 365 environment. Successful exploitation can lead to widespread data breaches, impacting potentially thousands of users. This can lead to regulatory fines, legal liabilities, and significant reputational damage. The lack of step-up consent increases the likelihood of successful OAuth phishing attacks, which are becoming increasingly prevalent.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable the Sysmon config and ingest O365 management activity events to allow for proper detection coverage.</li>
<li>Deploy the Sigma rule <code>O365 Block User Consent For Risky Apps Disabled</code> in your SIEM to detect instances where the &quot;risk-based step-up consent&quot; setting is disabled.</li>
<li>Investigate any detected instances of this setting being disabled, focusing on the user (<code>user</code> field in the logs) who made the change and the context surrounding the event.</li>
<li>Educate users about the risks associated with granting application consent and how to identify potentially malicious applications.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>o365</category><category>azuread</category><category>oauth</category><category>consent-phishing</category><category>defense-evasion</category></item><item><title>Azure AD User Consent Blocked for Risky Application</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azuread-risky-consent/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azuread-risky-consent/</guid><description>Azure AD blocked a user's attempt to grant consent to a risky application, indicating potential OAuth abuse and requiring investigation of the user and application involved.</description><content:encoded><![CDATA[<p>This analytic identifies instances where Azure Active Directory (Azure AD) has automatically blocked a user's attempt to grant consent to an application flagged as risky. The detection focuses on the &quot;Consent to application&quot; operation within Azure AD audit logs, specifically looking for system-driven block events. This automated blocking mechanism is a crucial defense against malicious OAuth applications attempting to gain unauthorized access to organizational data. Early detection of these blocked consent attempts allows security teams to investigate potentially compromised user accounts and identify malicious applications targeting their organization. The observed activity highlights Azure's proactive security measures and emphasizes the need for immediate investigation to understand the context and take preventive measures against sophisticated consent phishing attacks, particularly those leveraging techniques similar to the 365-Stealer.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker registers a malicious OAuth application in Azure AD.</li>
<li>The attacker crafts a phishing email or uses other social engineering methods to lure a target user into clicking a malicious link.</li>
<li>The link redirects the user to the Azure AD consent page for the attacker's malicious application.</li>
<li>The user, if not cautious, is prompted to grant the application permissions to access their account and data.</li>
<li>Azure AD's risk analysis engine detects that the application is risky based on various factors (e.g., publisher reputation, requested permissions).</li>
<li>Azure AD blocks the user's attempt to grant consent to the application.</li>
<li>The event is logged in the Azure AD audit logs with a &quot;failure&quot; result and a reason indicating &quot;Risky application detected&quot;.</li>
<li>Security team investigates the blocked consent attempt, the user involved, and the characteristics of the flagged application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful consent phishing attack can lead to the compromise of user accounts, data exfiltration, and further malicious activities within the organization. While Azure AD's blocking mechanism prevents immediate compromise, repeated attempts or successful circumvention could lead to significant damage. This detection helps identify users who are being targeted and applications that are attempting to infiltrate the organization, reducing the potential for widespread damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM and tune it for your specific Azure AD environment to detect blocked consent attempts for risky applications (<code>rules</code>).</li>
<li>Investigate any triggered alerts by examining the user, application, and requested permissions involved to determine the potential impact (<code>search</code>).</li>
<li>Review Azure AD Identity Protection settings to ensure that risk-based consent policies are properly configured and blocking risky applications (<code>references</code>).</li>
<li>Educate users about the risks of granting consent to unfamiliar applications and how to identify potentially malicious requests (<code>references</code>).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azuread</category><category>oauth</category><category>consent-phishing</category><category>cloud</category></item><item><title>Azure AD User Consent Denied for OAuth Application</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-user-consent-denied/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-user-consent-denied/</guid><description>This analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Azure AD environment, potentially indicating malicious OAuth application activity.</description><content:encoded><![CDATA[<p>This detection identifies instances where a user has denied consent to an OAuth application within an Azure AD environment. The rule specifically looks for Azure AD sign-in activity events with error code 65004, which indicates that a user has denied consent to an OAuth application. Monitoring these denied consent actions is crucial because it can signify that users are recognizing potentially suspicious or untrusted applications. A successful attack leveraging malicious OAuth applications can lead to data breaches, unauthorized actions, and compromised email servers. Several resources detail this threat, including Microsoft's guidance on protecting against consent phishing and Altered Security's analysis of 365 Stealer. Detecting and understanding these denials helps defenders refine security policies and enhance user awareness to prevent successful OAuth attacks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker registers a malicious OAuth application in Azure AD.</li>
<li>Attacker crafts a phishing email or uses other social engineering methods to trick a user into visiting a malicious link.</li>
<li>The link directs the user to the legitimate Azure AD consent page for the malicious application.</li>
<li>The application requests permissions, such as access to email, contacts, or files.</li>
<li>The user, recognizing the suspicious nature of the application or requested permissions, denies consent. The <code>properties.status.errorCode</code> field will contain the value <code>65004</code>.</li>
<li>The Azure AD sign-in activity logs record the denied consent event, capturing details about the application, user, and permissions requested.</li>
<li>The security team analyzes the denied consent event to determine if it represents a legitimate user concern or a potential attack.</li>
<li>Based on the analysis, security policies are updated, and user awareness training is refined to prevent future attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful OAuth application attack can grant unauthorized access to sensitive data, including emails, contacts, and files stored within the victim's Azure AD environment. Depending on the permissions requested by the attacker, they may be able to impersonate the user, send emails on their behalf, or modify data. While this detection focuses on <em>denied</em> consent attempts, understanding the frequency and context of these denials helps proactively identify and block potentially malicious OAuth applications before they can be successfully deployed. A compromised user account through malicious OAuth applications can lead to significant data breaches and financial losses.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>Azure AD User Denied OAuth Consent</code> to your SIEM and tune it based on your environment to detect potential malicious OAuth application usage in your Azure AD environment.</li>
<li>Investigate any alerts generated by the <code>Azure AD User Denied OAuth Consent</code> rule to determine if the denied consent event is legitimate or indicative of a potential attack.</li>
<li>Review and update Azure AD OAuth application consent policies to minimize the risk of users granting consent to malicious applications, as referenced in the Microsoft documentation on protecting against consent phishing.</li>
<li>Use the references on 365 Stealer and malicious OAuth applications to improve threat intelligence and user awareness training programs.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>oauth</category><category>consent-phishing</category><category>credential-access</category></item></channel></rss>