Consent — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/consent/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Azure AD Risk-Based Consent Disabledhttps://feed.craftedsignal.io/briefs/2024-01-azuread-consent-disable/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-azuread-consent-disable/The analytic detects when the risk-based step-up consent security setting in Azure AD is disabled by monitoring Azure Active Directory logs for the 'Update authorization policy' operation and changes to the 'AllowUserConsentForRiskyApps' setting, potentially exposing organizations to OAuth phishing attacks.This detection identifies instances where the risk-based step-up consent feature in Azure Active Directory (Azure AD) is disabled. The feature, designed to mitigate OAuth phishing attacks by prompting users with extra verification steps when consenting to risky applications, is disabled when the ‘AllowUserConsentForRiskyApps’ setting is set to ’true’. Attackers can exploit this misconfiguration to trick users into granting malicious applications access to sensitive data. This activity is detected by analyzing Azure AD audit logs for the “Update authorization policy” operation, specifically looking for modifications to the ‘AllowUserConsentForRiskyApps’ setting. Successful exploitation can lead to unauthorized access, data breaches, and further compromise within the organization.

Attack Chain

  1. An attacker identifies a target organization using Azure AD and seeks to compromise user accounts.
  2. The attacker crafts a malicious OAuth application designed to harvest user credentials or gain access to sensitive data.
  3. The attacker disables the “risk-based step-up consent” feature in the target Azure AD tenant by modifying the ‘AllowUserConsentForRiskyApps’ setting to ’true’ via the “Update authorization policy” operation.
  4. The attacker distributes the malicious OAuth application via phishing emails or other social engineering techniques.
  5. Unsuspecting users click on the malicious link and are prompted to grant consent to the application without risk-based step-up verification.
  6. Upon granting consent, the malicious application gains access to the user’s data and resources within the Azure AD environment.
  7. The attacker uses the compromised account to access sensitive information, escalate privileges, or move laterally within the organization.

Impact

Disabling the risk-based step-up consent feature in Azure AD can significantly increase the risk of successful OAuth phishing attacks. Successful exploitation could lead to unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization. The number of affected users and the extent of data loss depend on the scope of the attack and the permissions granted to the malicious application.

Recommendation

  • Enable the provided Sigma rule to detect when the ‘AllowUserConsentForRiskyApps’ setting is enabled, indicating the risk-based step-up consent feature has been disabled.
  • Review Azure AD audit logs for instances of the “Update authorization policy” operation that modify the ‘AllowUserConsentForRiskyApps’ setting.
  • Investigate and validate any changes to the ‘AllowUserConsentForRiskyApps’ setting to ensure they are authorized and legitimate.
  • Implement multi-factor authentication (MFA) for all users to reduce the risk of account compromise.
  • Educate users about the risks of OAuth phishing and how to identify suspicious applications.
]]>mediumadvisoryazureoauthconsentphishing