{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/graphapi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["NOBELIUM Group"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory"],"_cs_severities":["critical"],"_cs_tags":["azuread","cloud","graphapi","privilegeescalation","persistence"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the assignment of privileged Graph API permissions within Azure Active Directory (Azure AD). Attackers, including groups like NOBELIUM, may attempt to assign themselves or compromised applications excessive permissions to maintain persistence, escalate privileges, or achieve other malicious objectives within the cloud environment. The permissions of concern are Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory, as these grant broad control over applications, role assignments, and directory settings. The detection leverages Azure AD audit logs specifically monitoring 'Update application' operations. Successful exploitation can lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. This activity became particularly relevant after the Midnight Blizzard attack, highlighting the need for robust monitoring of Azure AD permission changes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account, possibly through credential theft or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses the Azure CLI with the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an existing application registration within Azure AD that they can modify.\u003c/li\u003e\n\u003cli\u003eUsing the compromised account, the attacker attempts to update the application registration.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns one or more of the following high-risk Graph API permissions to the application: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, or RoleManagement.ReadWrite.Directory. This involves modifying the \u003ccode\u003erequiredAppPermissions\u003c/code\u003e property of the application object.\u003c/li\u003e\n\u003cli\u003eThe Azure AD audit log records an \u0026quot;Update application\u0026quot; event with the modified \u003ccode\u003erequiredAppPermissions\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the application's newly acquired permissions to perform malicious actions, such as reading or modifying application configurations, role assignments, or directory settings.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by leveraging the application's elevated privileges for ongoing unauthorized access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful assignment of these permissions can lead to a complete compromise of the Azure AD environment. An attacker can modify application configurations, create or delete users, assign roles, and potentially gain access to other connected resources and services. The impact can range from data breaches and service disruption to complete control over the organization's cloud identity infrastructure. This is a critical issue, especially in light of recent nation-state attacks targeting Azure AD, as highlighted by Microsoft's guidance on the Midnight Blizzard attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eAzure AD Privileged Graph API Permission Assigned\u003c/code\u003e to your SIEM, ensuring it is tuned to your environment, and enable the data source: \u003ccode\u003eazure_monitor_aad\u003c/code\u003e with category \u003ccode\u003eAuditLogs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule \u003ccode\u003eAzure AD Privileged Graph API Permission Assigned\u003c/code\u003e immediately to determine if the permission assignment was authorized.\u003c/li\u003e\n\u003cli\u003eReview application registrations in Azure AD and identify any applications with excessive or unnecessary permissions.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for any modifications to application registrations, focusing on changes to the \u003ccode\u003erequiredAppPermissions\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges, to mitigate the risk of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-ad-graph-permissions/","summary":"Detection of high-risk Graph API permission assignments (Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory) in Azure AD, potentially leading to unauthorized modifications and security breaches.","title":"Azure AD Privileged Graph API Permission Assignment","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-ad-graph-permissions/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Microsoft Graph API"],"_cs_severities":["medium"],"_cs_tags":["azure","graphapi","email","oauth","credentialtheft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule identifies access to email resources via Microsoft Graph API using a first-party application on behalf of a user principal, which may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. This behavior can lead to unauthorized email access, data exfiltration, and business email compromise. The detection focuses on requests to Microsoft Graph API endpoints related to email, such as \u003ccode\u003e/me/mailFolders/inbox/messages\u003c/code\u003e or \u003ccode\u003e/users/{user_id}/messages\u003c/code\u003e, using a public client application ID and a user principal object ID. The rule uses a new_terms aggregation, only signaling if the application ID and user principal object ID combination have not been seen doing this activity in the last 14 days, reducing false positives from common or expected application usage. The detection logic incorporates activity from Microsoft Graph Activity Logs to identify anomalous email access patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to a user's credentials, either through phishing, credential stuffing, or by compromising a Primary Refresh Token (PRT). (T1566, T1110)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Exploitation:\u003c/strong\u003e The attacker uses the compromised OAuth refresh token or PRT to authenticate to the Microsoft Graph API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Registration (Optional):\u003c/strong\u003e The attacker might register a malicious application within Azure AD to facilitate access. (Not explicitly covered but a possibility.)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGraph API Interaction:\u003c/strong\u003e The attacker makes requests to the Microsoft Graph API, specifically targeting email resources using email-related scopes such as \u003ccode\u003eMail.Read\u003c/code\u003e, \u003ccode\u003eMail.ReadWrite\u003c/code\u003e, or \u003ccode\u003eMail.Send\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEmail Access:\u003c/strong\u003e The attacker accesses sensitive email data, potentially reading inbox contents, sending emails, or enumerating mail folders via the \u003ccode\u003e/me/mailFolders/inbox/messages\u003c/code\u003e or \u003ccode\u003e/users/{user_id}/messages\u003c/code\u003e endpoints. (T1114)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Manipulation:\u003c/strong\u003e The attacker exfiltrates sensitive information or manipulates email content for malicious purposes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker maintains access by continuously using the compromised token or by establishing new persistence mechanisms.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain unauthorized access to sensitive email communications, intellectual property, and customer data. Business email compromise (BEC) is a likely outcome, enabling attackers to conduct fraudulent activities. The number of potential victims is vast, encompassing any organization using Microsoft 365 and relying on Azure Active Directory (Entra ID) for authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual Graph API Email Access by Client and User\u003c/code\u003e to your SIEM to detect anomalous access patterns. Tune the rule by allowlisting known good \u003ccode\u003eapp_id\u003c/code\u003e and \u003ccode\u003euser_principal_object_id\u003c/code\u003e combinations to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the \u003ccode\u003eazure.graphactivitylogs.properties.app_id\u003c/code\u003e, \u003ccode\u003euser.id\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003eazure.graphactivitylogs.properties.scopes\u003c/code\u003e fields in the logs.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to restrict OAuth consent and risky sign-ins, mitigating the initial access vector. Refer to the references for guidance.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review application permissions within Azure AD to identify and remove any suspicious or overly permissive applications.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eazure.auditlogs\u003c/code\u003e and \u003ccode\u003eazure.signinlogs\u003c/code\u003e for recent application grants and risky sign-ins occurring before or after email access.\u003c/li\u003e\n\u003cli\u003eBlock known malicious applications by \u003ccode\u003eazure.graphactivitylogs.properties.app_id\u003c/code\u003e in your Azure AD tenant based on threat intelligence feeds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-graph-email-access/","summary":"Detects anomalous access to email resources via Microsoft Graph API, potentially indicating a compromised OAuth refresh token or Primary Refresh Token (PRT) being used by an attacker.","title":"Microsoft Graph API Email Access by Unusual Client and User","url":"https://feed.craftedsignal.io/briefs/2024-01-09-graph-email-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Graph API","Microsoft 365","Microsoft Entra ID"],"_cs_severities":["medium"],"_cs_tags":["azure","graphapi","oauth","email"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious access to email resources through the Microsoft Graph API. Attackers may leverage compromised OAuth refresh tokens or Primary Refresh Tokens (PRTs) to access sensitive email data. The activity is characterized by requests to Microsoft Graph API endpoints such as \u003ccode\u003e/me/mailFolders/inbox/messages\u003c/code\u003e or \u003ccode\u003e/users/{user_id}/messages\u003c/code\u003e, using a public client application ID on behalf of a user. The rule focuses on identifying novel combinations of application ID and user principal object ID accessing email resources within a 14-day timeframe, as this may indicate a compromised or newly deployed malicious application. This behavior could be related to campaigns similar to those observed by Volexity targeting Microsoft 365 OAuth workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a user's credentials or obtains a valid OAuth refresh token or PRT through phishing or other means (T1566).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised token to authenticate to the Microsoft Graph API via a custom or existing application.\u003c/li\u003e\n\u003cli\u003eThe application requests access to email-related scopes such as \u003ccode\u003eMail.Read\u003c/code\u003e, \u003ccode\u003eMail.ReadWrite\u003c/code\u003e, or \u003ccode\u003eMail.Send\u003c/code\u003e (T1550.001).\u003c/li\u003e\n\u003cli\u003eThe application makes API calls to enumerate mail folders, read messages, or send emails on behalf of the compromised user (T1114.002).\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive email content or use the compromised account to send phishing emails to other users (TA0009).\u003c/li\u003e\n\u003cli\u003eThe unusual combination of application ID and user principal triggers a detection due to the novel access pattern.\u003c/li\u003e\n\u003cli\u003eThe attacker persists by continuing to use the stolen token for ongoing access to email resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive email data, potentially resulting in data breaches, financial loss, and reputational damage. The compromise of user accounts can also enable attackers to send phishing emails or conduct further malicious activities within the organization. If undetected, the attacker can maintain persistent access to email resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMicrosoft Graph Unusual App Email Access\u003c/code\u003e to detect novel app/user combinations accessing email data via Graph API, using \u003ccode\u003elogs-azure.graphactivitylogs-*\u003c/code\u003e as the index.\u003c/li\u003e\n\u003cli\u003eInvestigate applications flagged by the rule by pivoting to Azure Portal -\u0026gt; Enterprise Applications and searching by the \u003ccode\u003eazure.graphactivitylogs.properties.app_id\u003c/code\u003e to determine app details, publisher, and consent status.\u003c/li\u003e\n\u003cli\u003eReview and restrict risky OAuth permissions in Conditional Access and App Governance policies, as mentioned in the triage steps within the rule's description.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious automation tools in the \u003ccode\u003euser_agent.original\u003c/code\u003e field within the \u003ccode\u003elogs-azure.graphactivitylogs-*\u003c/code\u003e index to identify potential scripted access.\u003c/li\u003e\n\u003cli\u003eRevoke the application's consent in Azure AD and revoke user refresh tokens via Microsoft Entra or PowerShell if unauthorized access is suspected.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-graph-email-access/","summary":"An adversary might use a phished OAuth refresh token or Primary Refresh Token (PRT) with a first-party application to access email resources via Microsoft Graph API, particularly focusing on unusual application and user combinations.","title":"Unusual Microsoft Graph Email Access via OAuth Application","url":"https://feed.craftedsignal.io/briefs/2024-01-graph-email-access/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Graph API","Microsoft 365"],"_cs_severities":["low"],"_cs_tags":["cloud","azure","graphapi","initial_access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the initial use of a Microsoft Graph API request originating from a specific client application ID (\u003ccode\u003eazure.graphactivitylogs.properties.app_id\u003c/code\u003e) tied to a user principal object ID (\u003ccode\u003eazure.graphactivitylogs.properties.user_principal_object_id\u003c/code\u003e) and a tenant ID (\u003ccode\u003eazure.tenant_id\u003c/code\u003e). This activity may signify unauthorized access achieved through methods like phishing, stolen tokens, or exploitation of OAuth workflows. Threat actors may leverage legitimate Microsoft or third-party application IDs to evade suspicion while performing actions on behalf of compromised users. The rule focuses on identifying unusual combinations of these three identifiers within a defined timeframe to highlight potentially malicious activity that bypasses standard authentication alerts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises user credentials through phishing or other means (T1566).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains or steals a legitimate application access token (T1528).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen access token to make authenticated requests to the Microsoft Graph API, impersonating the compromised user.\u003c/li\u003e\n\u003cli\u003eThe attacker queries the Graph API for sensitive information such as user details, email, or files.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses and potentially downloads sensitive data through the Graph API.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to perform actions such as sending emails or creating resources.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by creating new OAuth applications or modifying existing ones.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, including emails, files, and user information, within a Microsoft 365 environment. Attackers can leverage compromised accounts to perform malicious actions, such as sending phishing emails or creating new resources. The scope of impact depends on the permissions granted to the compromised application and the data accessible through the Graph API. Detecting the initial unusual use of a client ID helps in early identification before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Microsoft Graph Request User Impersonation by Unusual Client\u0026quot; to your SIEM and tune the \u003ccode\u003ehistory_window_start\u003c/code\u003e parameter to your environment needs.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eazure.graphactivitylogs.properties.user_principal_object_id\u003c/code\u003e and correlate with recent sign-in logs for the associated user as mentioned in the rule's note section.\u003c/li\u003e\n\u003cli\u003eInspect \u003ccode\u003eazure.graphactivitylogs.properties.scopes\u003c/code\u003e to understand the level of access being requested by the app, as suggested in the rule's note section.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to restrict Graph API access based on app type, IP address, or device state as described in the rule's note section.\u003c/li\u003e\n\u003cli\u003eMonitor usage of new or uncommon \u003ccode\u003eapp_id\u003c/code\u003e values across your tenant.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-graph-api-user-impersonation/","summary":"Detection of the first-time use of a Microsoft Graph API request by a specific client application ID, user principal object ID, and tenant ID, potentially indicating unauthorized access via phishing, token theft, or OAuth abuse.","title":"Microsoft Graph API Request User Impersonation by Unusual Client","url":"https://feed.craftedsignal.io/briefs/2024-01-graph-api-user-impersonation/"}],"language":"en","title":"CraftedSignal Threat Feed - Graphapi","version":"https://jsonfeed.org/version/1.1"}