Microsoft 365 Illicit Consent Grant via Registered Application

  1[metadata]
  2creation_date = "2025/03/24"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2025/03/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an Microsoft 365 illicit consent grant request on-behalf-of a registered Entra ID application. Adversaries
 11may create and register an application in Microsoft Entra ID for the purpose of requesting user consent to access
 12resources in Microsoft 365. This is accomplished by tricking a user into granting consent to the application, typically
 13via a pre-made phishing URL. This establishes an OAuth grant that allows the malicious client applocation to access
 14resources in Microsoft 365 on-behalf-of the user.
 15"""
 16from = "now-9m"
 17index = ["filebeat-*", "logs-o365**"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "Microsoft 365 Illicit Consent Grant via Registered Application"
 21note = """## Triage and analysis
 22
 23### Investigating Microsoft 365 Illicit Consent Grant via Registered Application
 24
 25Adversaries may register a malicious application in Microsoft Entra ID and trick users into granting excessive permissions via OAuth consent. These apps can access sensitive Microsoft 365 data—such as mail, profiles, and files—on behalf of the user once consent is granted. This activity is often initiated through spearphishing campaigns that direct the user to a pre-crafted OAuth consent URL.
 26
 27This rule identifies a new consent grant to an application using Microsoft 365 audit logs. Additionally, this is a New Terms rule that will only trigger if the user and client ID have not been seen doing this activity in the last 14 days.
 28
 29#### Possible investigation steps
 30
 31- **Review the app in Entra ID**:
 32  - Go to **Enterprise Applications** in the Azure portal.
 33  - Search for the `AppId` or name from `o365.audit.ObjectId`.
 34  - Review granted API permissions and whether admin consent was required.
 35  - Check the `Publisher` and `Verified` status.
 36
 37- **Assess the user who granted consent**:
 38  - Investigate `o365.audit.UserId` (e.g., `terrance.dejesus@...`) for signs of phishing or account compromise.
 39  - Check if the user was targeted in recent phishing simulations or campaigns.
 40  - Review the user’s sign-in logs for suspicious geolocation, IP, or device changes.
 41
 42- **Determine scope and risk**:
 43  - Use the `ConsentContext_IsAdminConsent` and `ConsentContext_OnBehalfOfAll` flags to assess privilege level.
 44  - If `offline_access` or `Mail.Read` was granted, consider potential data exposure.
 45  - Cross-reference affected `Target` objects with known business-critical assets or data owners.
 46
 47- **Correlate additional telemetry**:
 48  - Review logs from Defender for Cloud Apps (MCAS), Microsoft Purview, or other DLP tooling for unusual access patterns.
 49  - Search for `AppId` across your tenant to determine how widely it's used.
 50
 51### False positive analysis
 52
 53- Not all consent grants are malicious. Verify if the app is business-approved, listed in your app catalog, or commonly used by users in that role or department.
 54- Consent reasons like `WindowsAzureActiveDirectoryIntegratedApp` could relate to integrated services, though these still require verification.
 55
 56### Response and remediation
 57
 58- **If the app is confirmed malicious**:
 59  - Revoke OAuth consent using the [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-delete).
 60  - Remove any related service principals from Entra ID.
 61  - Block the app via the Conditional Access "Grant" control or Defender for Cloud Apps policies.
 62  - Revoke refresh tokens and require reauthentication for affected users.
 63  - Notify end-users and IT of the potential exposure.
 64  - Activate your phishing or OAuth abuse response playbook.
 65
 66- **Prevent future misuse**:
 67  - Enable the [Admin consent workflow](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) to restrict user-granted consent.
 68  - Audit and reduce overprivileged applications in your environment.
 69  - Consider using Defender for Cloud Apps OAuth app governance.
 70
 71"""
 72references = [
 73    "https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-analysis-and-best-practices",
 74    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide",
 75    "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/",
 76    "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps",
 77    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema",
 78]
 79risk_score = 47
 80rule_id = "0c3c80de-08c2-11f0-bd11-f661ea17fbcc"
 81severity = "medium"
 82tags = [
 83    "Domain: Cloud",
 84    "Data Source: Microsoft 365",
 85    "Data Source: Microsoft 365 Audit Logs",
 86    "Use Case: Identity and Access Audit",
 87    "Resources: Investigation Guide",
 88    "Tactic: Initial Access",
 89    "Tactic: Credential Access",
 90]
 91timestamp_override = "event.ingested"
 92type = "new_terms"
 93
 94query = '''
 95event.dataset: "o365.audit"
 96  and o365.audit.Actor.Type: 5
 97  and event.action: "Consent to application."
 98  and event.outcome: "success"
 99  and o365.audit.Target.Type: (0 or 2 or 3 or 9 or 10)
100'''
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1566"
107name = "Phishing"
108reference = "https://attack.mitre.org/techniques/T1566/"
109[[rule.threat.technique.subtechnique]]
110id = "T1566.002"
111name = "Spearphishing Link"
112reference = "https://attack.mitre.org/techniques/T1566/002/"
113
114
115
116[rule.threat.tactic]
117id = "TA0001"
118name = "Initial Access"
119reference = "https://attack.mitre.org/tactics/TA0001/"
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1528"
124name = "Steal Application Access Token"
125reference = "https://attack.mitre.org/techniques/T1528/"
126
127
128[rule.threat.tactic]
129id = "TA0006"
130name = "Credential Access"
131reference = "https://attack.mitre.org/tactics/TA0006/"
132
133[rule.investigation_fields]
134field_names = [
135    "@timestamp",
136    "event.action",
137    "event.outcome",
138    "o365.audit.UserId",
139    "o365.audit.ObjectId",
140    "o365.audit.Actor.Type",
141    "o365.audit.Target.Type",
142    "o365.audit.ModifiedProperties.ConsentAction_Reason.NewValue",
143    "o365.audit.ExtendedProperties.additionalDetails",
144    "cloud.region"
145]
146
147[rule.new_terms]
148field = "new_terms_fields"
149value = ["o365.audit.UserId", "o365.audit.ObjectId"]
150[[rule.new_terms.history_window_start]]
151field = "history_window_start"
152value = "now-14d"