{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/consent/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","oauth","consent","phishing"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where the risk-based step-up consent feature in Azure Active Directory (Azure AD) is disabled. The feature, designed to mitigate OAuth phishing attacks by prompting users with extra verification steps when consenting to risky applications, is disabled when the \u0026lsquo;AllowUserConsentForRiskyApps\u0026rsquo; setting is set to \u0026rsquo;true\u0026rsquo;. Attackers can exploit this misconfiguration to trick users into granting malicious applications access to sensitive data. This activity is detected by analyzing Azure AD audit logs for the \u0026ldquo;Update authorization policy\u0026rdquo; operation, specifically looking for modifications to the \u0026lsquo;AllowUserConsentForRiskyApps\u0026rsquo; setting. Successful exploitation can lead to unauthorized access, data breaches, and further compromise within the organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target organization using Azure AD and seeks to compromise user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious OAuth application designed to harvest user credentials or gain access to sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the \u0026ldquo;risk-based step-up consent\u0026rdquo; feature in the target Azure AD tenant by modifying the \u0026lsquo;AllowUserConsentForRiskyApps\u0026rsquo; setting to \u0026rsquo;true\u0026rsquo; via the \u0026ldquo;Update authorization policy\u0026rdquo; operation.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious OAuth application via phishing emails or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eUnsuspecting users click on the malicious link and are prompted to grant consent to the application without risk-based step-up verification.\u003c/li\u003e\n\u003cli\u003eUpon granting consent, the malicious application gains access to the user\u0026rsquo;s data and resources within the Azure AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to access sensitive information, escalate privileges, or move laterally within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the risk-based step-up consent feature in Azure AD can significantly increase the risk of successful OAuth phishing attacks. Successful exploitation could lead to unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization. The number of affected users and the extent of data loss depend on the scope of the attack and the permissions granted to the malicious application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the provided Sigma rule to detect when the \u0026lsquo;AllowUserConsentForRiskyApps\u0026rsquo; setting is enabled, indicating the risk-based step-up consent feature has been disabled.\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs for instances of the \u0026ldquo;Update authorization policy\u0026rdquo; operation that modify the \u0026lsquo;AllowUserConsentForRiskyApps\u0026rsquo; setting.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any changes to the \u0026lsquo;AllowUserConsentForRiskyApps\u0026rsquo; setting to ensure they are authorized and legitimate.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all users to reduce the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of OAuth phishing and how to identify suspicious applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuread-consent-disable/","summary":"The analytic detects when the risk-based step-up consent security setting in Azure AD is disabled by monitoring Azure Active Directory logs for the 'Update authorization policy' operation and changes to the 'AllowUserConsentForRiskyApps' setting, potentially exposing organizations to OAuth phishing attacks.","title":"Azure AD Risk-Based Consent Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-azuread-consent-disable/"}],"language":"en","title":"CraftedSignal Threat Feed — Consent","version":"https://jsonfeed.org/version/1.1"}