Suspicious Office 365 app authorization (OAuth) link

Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.

Sublime rule (View on GitHub)

  1name: "Suspicious Office 365 app authorization (OAuth) link"
  2description: |
  3  Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or 
  4  was stood up for malicious purposes. Once the app has been authorized, the attacker will have 
  5  read or write permissions to the user's Office 365 account.  
  6references:
  7  - "https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset"
  8type: "rule"
  9severity: "high"
 10source: |
 11  type.inbound
 12  and (
 13    // links in email body
 14    any([body.links, body.current_thread.links],
 15        any(.,
 16            (
 17              .href_url.domain.domain == 'login.microsoftonline.com'
 18              or strings.icontains(.href_url.query_params,
 19                                   "login.microsoftonline.com"
 20              )
 21            )
 22            and (
 23              strings.ilike(.href_url.query_params,
 24                            '*offline_access*',
 25                            '*.readwrite*',
 26                            '*.read*',
 27                            '*ctx=*',
 28                            '*prompt=none*'
 29              )
 30              or (
 31                (
 32                  strings.icontains(.href_url.path, '/common/reprocess')
 33                  or strings.icontains(.href_url.query_params,
 34                                       "/common/reprocess"
 35                  )
 36                )
 37                and strings.icontains(.href_url.query_params, 'ctx=')
 38                and strings.icontains(.href_url.query_params, 'sessionId=')
 39              )
 40            )
 41        )
 42    )
 43    // links in PDF, HTML, DOCX and PPTX attachments
 44    or any(filter(attachments, .file_type in ("pdf", "html", "docx", "pptx")),
 45           any(file.explode(.),
 46               any(.scan.url.urls,
 47                   .domain.domain == 'login.microsoftonline.com'
 48                   and (
 49                     strings.ilike(.query_params,
 50                                   '*offline_access*',
 51                                   '*.readwrite*',
 52                                   '*.read*',
 53                                   '*ctx=*',
 54                                   '*prompt=none*'
 55                     )
 56                     or (
 57                       strings.icontains(.path, '/common/reprocess')
 58                       and strings.icontains(.query_params, 'ctx=')
 59                       and strings.icontains(.query_params, 'sessionId=')
 60                     )
 61                   )
 62               )
 63           )
 64    )
 65    or any(attachments,
 66           (
 67             .file_type == "ics"
 68             or .file_extension == "ics"
 69             or .content_type in ("application/ics", "text/calendar")
 70           )
 71           //
 72           // This rule makes use of a beta feature and is subject to change without notice
 73           // using the beta feature in custom rules is not suggested until it has been formally released
 74           //
 75           and any(beta.file.parse_ics(.).events,
 76                   any(.links,
 77                       .href_url.domain.domain == 'login.microsoftonline.com'
 78                       and (
 79                         strings.ilike(.href_url.query_params,
 80                                       '*offline_access*',
 81                                       '*.readwrite*',
 82                                       '*.read*',
 83                                       '*ctx=*',
 84                                       '*prompt=none*'
 85                         )
 86                         or (
 87                           strings.icontains(.href_url.path, '/common/reprocess')
 88                           and strings.icontains(.href_url.query_params, 'ctx=')
 89                           and strings.icontains(.href_url.query_params,
 90                                                 'sessionId='
 91                           )
 92                         )
 93                       )
 94                   )
 95           )
 96    )
 97  )  
 98
 99attack_types:
100  - "Credential Phishing"
101detection_methods:
102  - "URL analysis"
103id: "13a8c430-3e62-5c8f-86b5-3722599bead4"
to-top