Risk-Based Consent — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/risk-based-consent/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Microsoft 365 Risk-Based Step-Up Consent Disabledhttps://feed.craftedsignal.io/briefs/2024-01-03-o365-risky-app-consent-disabled/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-o365-risky-app-consent-disabled/The Microsoft 365 'risk-based step-up consent' security setting is disabled by an adversary to allow users to grant consent to malicious applications, potentially leading to unauthorized access and data breaches.The disabling of the “risk-based step-up consent” feature in Microsoft 365 is a significant security concern. This feature, when enabled, adds an extra layer of security by requiring administrator approval or additional authentication steps when users attempt to grant permissions to applications deemed risky by Microsoft. When disabled, users can grant consent to potentially malicious OAuth applications without any additional checks, increasing the risk of OAuth phishing attacks. An attacker might disable this feature to facilitate easier access to sensitive user data through malicious applications, bypassing security controls implemented to protect the organization. This could be part of a broader attack to compromise user accounts and exfiltrate data.

Attack Chain

  1. An attacker gains initial access to an account with sufficient privileges to modify Azure Active Directory authorization policies.
  2. The attacker navigates to the Azure Active Directory settings.
  3. The attacker identifies the “risk-based step-up consent” setting.
  4. The attacker disables the “AllowUserConsentForRiskyApps” setting by modifying the authorization policy.
  5. Users are now able to grant consent to risky OAuth applications without triggering additional security checks.
  6. The attacker deploys or promotes a malicious OAuth application, tricking users into granting it permissions.
  7. The malicious application gains access to user data and other resources based on the granted permissions.
  8. The attacker exfiltrates sensitive data or performs other malicious actions using the compromised application.

Impact

Disabling the risk-based step-up consent feature can significantly increase the attack surface of a Microsoft 365 environment. If successful, attackers can compromise user accounts and exfiltrate sensitive data. This can lead to financial loss, reputational damage, and legal liabilities. Organizations that fail to monitor and protect this setting are at higher risk of OAuth phishing attacks and subsequent data breaches.

Recommendation

  • Enable the “risk-based step-up consent” security setting in Microsoft 365 to prevent users from granting consent to risky applications without proper authorization.
  • Deploy the Sigma rule O365 Block User Consent For Risky Apps Disabled to your SIEM to detect when this setting is modified.
  • Review Azure Active Directory audit logs for unexpected changes to authorization policies related to application consent.
  • Monitor user activity for OAuth application consent grants, especially to applications from untrusted or unknown publishers.
]]>mediumadvisoryazureado365oauthrisk-based consentdefense-evasion