{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/illicit-consent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["medium"],"_cs_tags":["azure","entra-id","oauth","illicit-consent"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging illicit consent grants within Microsoft Entra ID to gain unauthorized access to sensitive data. This involves registering a malicious application within an organization's Entra ID environment and tricking users into granting it excessive permissions via OAuth consent. The attack commonly uses spearphishing to distribute links that lead users to grant permissions to seemingly legitimate applications. Once consent is granted, the attacker-controlled application can access resources like mail, profiles, and files on behalf of the compromised user. Detection focuses on identifying unusual consent activity within Azure audit logs, particularly new application consent grants and instances where Microsoft flags an application as risky. This activity is flagged using ES|QL aggregation logic over a 7-day window looking for new or risky user-application consent pairs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker registers a malicious application within Microsoft Entra ID.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email containing a malicious link.\u003c/li\u003e\n\u003cli\u003eThe victim receives the spearphishing email and clicks the malicious link.\u003c/li\u003e\n\u003cli\u003eThe link redirects the victim to a consent page for the attacker's application.\u003c/li\u003e\n\u003cli\u003eThe consent page requests permissions to access resources such as mail, profiles, and files.\u003c/li\u003e\n\u003cli\u003eThe victim, believing the application is legitimate, grants consent.\u003c/li\u003e\n\u003cli\u003eThe attacker's application receives an OAuth access token.\u003c/li\u003e\n\u003cli\u003eThe attacker's application uses the access token to access resources on behalf of the compromised user, enabling data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful illicit consent grant attack can lead to unauthorized access to sensitive data, including emails, files, and user profiles. The impact includes data breaches, financial loss, and reputational damage. While the exact number of victims is unknown, this technique targets any organization using Microsoft Entra ID and relying on user consent for application access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Entra ID Illicit Consent Grant\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious consent grants.\u003c/li\u003e\n\u003cli\u003eReview Azure audit logs for consent events where the \u003ccode\u003eazure.auditlogs.properties.target_resources.0.modified_properties.5.new_value\u003c/code\u003e field contains \u0026quot;\u003cem\u003eRisky application detected\u003c/em\u003e\u0026quot;.\u003c/li\u003e\n\u003cli\u003eEnable the Admin Consent Workflow in Azure AD to prevent unsanctioned user approvals.\u003c/li\u003e\n\u003cli\u003eRevoke the OAuth grant for any identified malicious application using Graph API or PowerShell.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-illicit-consent/","summary":"Attackers register malicious applications within Entra ID and deceive users into granting extensive permissions through OAuth consent, enabling unauthorized access to sensitive data like emails and files.","title":"Entra ID Illicit Consent Grant via Registered Application","url":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-illicit-consent/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID","SharePoint Online","OneDrive for Business"],"_cs_severities":["medium"],"_cs_tags":["azure","sharepoint","onedrive","oauth","phishing","illicit-consent"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies when an application accesses SharePoint Online or OneDrive for Business for the first time within a tenant. This is a critical signal for detecting successful OAuth phishing campaigns, where users are tricked into granting consent to malicious applications. Once consent is granted, the malicious app can persistently access file storage without further user interaction. This also catches illicit consent grants, compromised third-party applications, or custom malicious apps registered by adversaries. The rule uses data from Entra ID sign-in logs to identify new application IDs accessing SharePoint or OneDrive resources. The rule looks back 9 months to establish a baseline of known applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email with a link to a malicious OAuth application.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and is redirected to a legitimate-looking consent page.\u003c/li\u003e\n\u003cli\u003eThe victim grants consent to the malicious application, unknowingly providing access to their data.\u003c/li\u003e\n\u003cli\u003eThe malicious application authenticates to Entra ID using the granted consent.\u003c/li\u003e\n\u003cli\u003eThe application accesses SharePoint Online or OneDrive for Business using the victim's permissions.\u003c/li\u003e\n\u003cli\u003eThe application exfiltrates sensitive data from SharePoint or OneDrive.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated data for their objectives, such as financial gain or espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful OAuth phishing campaign or illicit consent grant can lead to significant data breaches. An attacker gaining access to SharePoint Online or OneDrive for Business can steal sensitive documents, intellectual property, and other confidential information. This can result in financial losses, reputational damage, and legal liabilities. There is no specific number of victims or sectors targeted detailed in the provided source material.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Entra ID Sharepoint or OneDrive Accessed by Unusual Client\u0026quot; to your SIEM and tune for your environment to detect initial access of unusual applications.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eazure.signinlogs.properties.app_id\u003c/code\u003e and \u003ccode\u003eazure.signinlogs.properties.app_display_name\u003c/code\u003e to identify the application and cross-reference with known legitimate applications, as described in the rule's Triage and Analysis section.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eazure.auditlogs\u003c/code\u003e for recent \u003ccode\u003eConsent to application\u003c/code\u003e events matching suspicious app IDs to identify how consent was granted, as documented in the rule's analysis section.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to require admin consent for high-risk permissions and block unverified publishers, as recommended in the Response and Remediation section.\u003c/li\u003e\n\u003cli\u003eEnsure that Microsoft Entra ID Sign-In Logs are being collected and streamed into the Elastic Stack via the Azure integration, as required by the rule setup.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-sharepoint-unusual-access/","summary":"An application accessing SharePoint Online or OneDrive for Business for the first time in a tenant could indicate OAuth phishing, illicit consent grants, or compromised third-party apps accessing file storage.","title":"Entra ID Sharepoint or OneDrive Accessed by Unusual Client","url":"https://feed.craftedsignal.io/briefs/2024-01-entra-id-sharepoint-unusual-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Illicit-Consent","version":"https://jsonfeed.org/version/1.1"}