{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credentialtheft/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Microsoft Graph API"],"_cs_severities":["medium"],"_cs_tags":["azure","graphapi","email","oauth","credentialtheft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule identifies access to email resources via Microsoft Graph API using a first-party application on behalf of a user principal, which may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. This behavior can lead to unauthorized email access, data exfiltration, and business email compromise. The detection focuses on requests to Microsoft Graph API endpoints related to email, such as \u003ccode\u003e/me/mailFolders/inbox/messages\u003c/code\u003e or \u003ccode\u003e/users/{user_id}/messages\u003c/code\u003e, using a public client application ID and a user principal object ID. The rule uses a new_terms aggregation, only signaling if the application ID and user principal object ID combination have not been seen doing this activity in the last 14 days, reducing false positives from common or expected application usage. The detection logic incorporates activity from Microsoft Graph Activity Logs to identify anomalous email access patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to a user's credentials, either through phishing, credential stuffing, or by compromising a Primary Refresh Token (PRT). (T1566, T1110)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Exploitation:\u003c/strong\u003e The attacker uses the compromised OAuth refresh token or PRT to authenticate to the Microsoft Graph API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Registration (Optional):\u003c/strong\u003e The attacker might register a malicious application within Azure AD to facilitate access. (Not explicitly covered but a possibility.)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGraph API Interaction:\u003c/strong\u003e The attacker makes requests to the Microsoft Graph API, specifically targeting email resources using email-related scopes such as \u003ccode\u003eMail.Read\u003c/code\u003e, \u003ccode\u003eMail.ReadWrite\u003c/code\u003e, or \u003ccode\u003eMail.Send\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEmail Access:\u003c/strong\u003e The attacker accesses sensitive email data, potentially reading inbox contents, sending emails, or enumerating mail folders via the \u003ccode\u003e/me/mailFolders/inbox/messages\u003c/code\u003e or \u003ccode\u003e/users/{user_id}/messages\u003c/code\u003e endpoints. (T1114)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Manipulation:\u003c/strong\u003e The attacker exfiltrates sensitive information or manipulates email content for malicious purposes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker maintains access by continuously using the compromised token or by establishing new persistence mechanisms.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain unauthorized access to sensitive email communications, intellectual property, and customer data. Business email compromise (BEC) is a likely outcome, enabling attackers to conduct fraudulent activities. The number of potential victims is vast, encompassing any organization using Microsoft 365 and relying on Azure Active Directory (Entra ID) for authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual Graph API Email Access by Client and User\u003c/code\u003e to your SIEM to detect anomalous access patterns. Tune the rule by allowlisting known good \u003ccode\u003eapp_id\u003c/code\u003e and \u003ccode\u003euser_principal_object_id\u003c/code\u003e combinations to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the \u003ccode\u003eazure.graphactivitylogs.properties.app_id\u003c/code\u003e, \u003ccode\u003euser.id\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003eazure.graphactivitylogs.properties.scopes\u003c/code\u003e fields in the logs.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to restrict OAuth consent and risky sign-ins, mitigating the initial access vector. Refer to the references for guidance.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review application permissions within Azure AD to identify and remove any suspicious or overly permissive applications.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eazure.auditlogs\u003c/code\u003e and \u003ccode\u003eazure.signinlogs\u003c/code\u003e for recent application grants and risky sign-ins occurring before or after email access.\u003c/li\u003e\n\u003cli\u003eBlock known malicious applications by \u003ccode\u003eazure.graphactivitylogs.properties.app_id\u003c/code\u003e in your Azure AD tenant based on threat intelligence feeds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-graph-email-access/","summary":"Detects anomalous access to email resources via Microsoft Graph API, potentially indicating a compromised OAuth refresh token or Primary Refresh Token (PRT) being used by an attacker.","title":"Microsoft Graph API Email Access by Unusual Client and User","url":"https://feed.craftedsignal.io/briefs/2024-01-09-graph-email-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Credentialtheft","version":"https://jsonfeed.org/version/1.1"}