<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Credentialtheft - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/credentialtheft/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 18:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/credentialtheft/feed.xml" rel="self" type="application/rss+xml"/><item><title>Microsoft Graph API Email Access by Unusual Client and User</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-graph-email-access/</link><pubDate>Tue, 09 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-graph-email-access/</guid><description>Detects anomalous access to email resources via Microsoft Graph API, potentially indicating a compromised OAuth refresh token or Primary Refresh Token (PRT) being used by an attacker.</description><content:encoded><![CDATA[<p>This rule identifies access to email resources via Microsoft Graph API using a first-party application on behalf of a user principal, which may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. This behavior can lead to unauthorized email access, data exfiltration, and business email compromise. The detection focuses on requests to Microsoft Graph API endpoints related to email, such as <code>/me/mailFolders/inbox/messages</code> or <code>/users/{user_id}/messages</code>, using a public client application ID and a user principal object ID. The rule uses a new_terms aggregation, only signaling if the application ID and user principal object ID combination have not been seen doing this activity in the last 14 days, reducing false positives from common or expected application usage. The detection logic incorporates activity from Microsoft Graph Activity Logs to identify anomalous email access patterns.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to a user's credentials, either through phishing, credential stuffing, or by compromising a Primary Refresh Token (PRT). (T1566, T1110)</li>
<li><strong>Token Exploitation:</strong> The attacker uses the compromised OAuth refresh token or PRT to authenticate to the Microsoft Graph API.</li>
<li><strong>Application Registration (Optional):</strong> The attacker might register a malicious application within Azure AD to facilitate access. (Not explicitly covered but a possibility.)</li>
<li><strong>Graph API Interaction:</strong> The attacker makes requests to the Microsoft Graph API, specifically targeting email resources using email-related scopes such as <code>Mail.Read</code>, <code>Mail.ReadWrite</code>, or <code>Mail.Send</code>.</li>
<li><strong>Email Access:</strong> The attacker accesses sensitive email data, potentially reading inbox contents, sending emails, or enumerating mail folders via the <code>/me/mailFolders/inbox/messages</code> or <code>/users/{user_id}/messages</code> endpoints. (T1114)</li>
<li><strong>Data Exfiltration/Manipulation:</strong> The attacker exfiltrates sensitive information or manipulates email content for malicious purposes.</li>
<li><strong>Persistence:</strong> The attacker maintains access by continuously using the compromised token or by establishing new persistence mechanisms.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain unauthorized access to sensitive email communications, intellectual property, and customer data. Business email compromise (BEC) is a likely outcome, enabling attackers to conduct fraudulent activities. The number of potential victims is vast, encompassing any organization using Microsoft 365 and relying on Azure Active Directory (Entra ID) for authentication.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Unusual Graph API Email Access by Client and User</code> to your SIEM to detect anomalous access patterns. Tune the rule by allowlisting known good <code>app_id</code> and <code>user_principal_object_id</code> combinations to reduce false positives.</li>
<li>Investigate any alerts generated by the Sigma rule by examining the <code>azure.graphactivitylogs.properties.app_id</code>, <code>user.id</code>, <code>source.ip</code>, and <code>azure.graphactivitylogs.properties.scopes</code> fields in the logs.</li>
<li>Implement Conditional Access policies to restrict OAuth consent and risky sign-ins, mitigating the initial access vector. Refer to the references for guidance.</li>
<li>Regularly audit and review application permissions within Azure AD to identify and remove any suspicious or overly permissive applications.</li>
<li>Monitor <code>azure.auditlogs</code> and <code>azure.signinlogs</code> for recent application grants and risky sign-ins occurring before or after email access.</li>
<li>Block known malicious applications by <code>azure.graphactivitylogs.properties.app_id</code> in your Azure AD tenant based on threat intelligence feeds.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>graphapi</category><category>email</category><category>oauth</category><category>credentialtheft</category></item></channel></rss>