{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/risk-based-consent/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Microsoft 365","Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","o365","oauth","risk-based consent","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe disabling of the \u0026ldquo;risk-based step-up consent\u0026rdquo; feature in Microsoft 365 is a significant security concern. This feature, when enabled, adds an extra layer of security by requiring administrator approval or additional authentication steps when users attempt to grant permissions to applications deemed risky by Microsoft. When disabled, users can grant consent to potentially malicious OAuth applications without any additional checks, increasing the risk of OAuth phishing attacks. An attacker might disable this feature to facilitate easier access to sensitive user data through malicious applications, bypassing security controls implemented to protect the organization. This could be part of a broader attack to compromise user accounts and exfiltrate data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an account with sufficient privileges to modify Azure Active Directory authorization policies.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Active Directory settings.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u0026ldquo;risk-based step-up consent\u0026rdquo; setting.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the \u0026ldquo;AllowUserConsentForRiskyApps\u0026rdquo; setting by modifying the authorization policy.\u003c/li\u003e\n\u003cli\u003eUsers are now able to grant consent to risky OAuth applications without triggering additional security checks.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or promotes a malicious OAuth application, tricking users into granting it permissions.\u003c/li\u003e\n\u003cli\u003eThe malicious application gains access to user data and other resources based on the granted permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or performs other malicious actions using the compromised application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the risk-based step-up consent feature can significantly increase the attack surface of a Microsoft 365 environment. If successful, attackers can compromise user accounts and exfiltrate sensitive data. This can lead to financial loss, reputational damage, and legal liabilities. Organizations that fail to monitor and protect this setting are at higher risk of OAuth phishing attacks and subsequent data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the \u0026ldquo;risk-based step-up consent\u0026rdquo; security setting in Microsoft 365 to prevent users from granting consent to risky applications without proper authorization.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Block User Consent For Risky Apps Disabled\u003c/code\u003e to your SIEM to detect when this setting is modified.\u003c/li\u003e\n\u003cli\u003eReview Azure Active Directory audit logs for unexpected changes to authorization policies related to application consent.\u003c/li\u003e\n\u003cli\u003eMonitor user activity for OAuth application consent grants, especially to applications from untrusted or unknown publishers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-o365-risky-app-consent-disabled/","summary":"The Microsoft 365 'risk-based step-up consent' security setting is disabled by an adversary to allow users to grant consent to malicious applications, potentially leading to unauthorized access and data breaches.","title":"Microsoft 365 Risk-Based Step-Up Consent Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-o365-risky-app-consent-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Risk-Based Consent","version":"https://jsonfeed.org/version/1.1"}