Suspicious Office 365 app authorization (OAuth) link

Feb 4, 2025 ·

Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.

Sublime rule (View on GitHub)

 1name: "Suspicious Office 365 app authorization (OAuth) link"
 2description: |
 3  Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or 
 4  was stood up for malicious purposes. Once the app has been authorized, the attacker will have 
 5  read or write permissions to the user's Office 365 account.  
 6references:
 7  - "https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset"
 8type: "rule"
 9severity: "high"
10source: |
11  type.inbound
12  and any(body.links,
13          .href_url.domain.domain == 'login.microsoftonline.com'
14          and (
15            strings.ilike(.href_url.query_params,
16                          '*offline_access*',
17                          '*.readwrite*',
18                          '*.read*',
19                          '*ctx=*'
20            )
21            or (
22              strings.icontains(.href_url.path, '/common/reprocess')
23              and strings.icontains(.href_url.query_params, 'ctx=')
24              and strings.icontains(.href_url.query_params, 'sessionId=')
25            )
26          )
27  )  
28attack_types:
29  - "Credential Phishing"
30detection_methods:
31  - "URL analysis"
32id: "13a8c430-3e62-5c8f-86b5-3722599bead4"