The Silent Threat: How to Hunt for Malicious OAuth Apps in Microsoft 365
Cybersecurity is an ever-evolving battleground. While we focus on strong passwords, multi-factor authentication (MFA), and phishing awareness, a stealthy threat is gaining ground: malicious OAuth application abuse. This attack vector bypasses traditional defenses by tricking users into granting dangerous permissions to seemingly harmless third-party applications within your Microsoft 365 environment.
Unlike typical phishing that aims to steal credentials, this method, known as “consent phishing,” co-opts a legitimate feature. An attacker doesn’t need your password; they just need you to click “Accept.” Once granted, their malicious app can gain persistent access to your email, files, contacts, and more, operating silently in the background.
This guide will walk you through how to proactively hunt for these threats and secure your Microsoft 365 tenant against this insidious attack.
Understanding Illicit Consent Grants
The core of the attack lies in manipulating the OAuth 2.0 authorization framework, which allows third-party apps to access user data without needing their password. Think of how you use your Google or Microsoft account to sign into a new service—that’s OAuth in action.
Attackers exploit this trust. They create an application that mimics a legitimate tool—like a document scanner, a new email client, or a calendar assistant. They then send a phishing link to a user. When the user clicks it, they are presented with a genuine Microsoft consent screen asking for permissions. The trick is that the permissions requested are overly broad and dangerous, such as:
Mail.ReadWrite: Read, create, update, and delete all emails.Files.ReadWrite.All: Access and modify all of the user’s files in OneDrive and SharePoint.Contacts.Read: Access all of a user’s contacts.offline_access: Allows the app to access data indefinitely, even after the user has logged off.
Once a user approves the request, the attacker’s application receives an access token. This token acts as a key, allowing the app to interact with the user’s data via Microsoft’s APIs without ever needing their password again. MFA is completely bypassed because the user legitimately authorized the access.
Proactive Hunting: Identifying the Red Flags
Because these attacks leverage a legitimate feature, they often fly under the radar of standard security tools. Proactive threat hunting is essential. You need to regularly audit the applications registered within your Azure Active Directory (Azure AD) tenant.
When conducting an audit, look for applications that exhibit a combination of these suspicious characteristics:
- Unverified Publishers: Legitimate applications from established companies usually have a “verified” publisher status. An unverified publisher is a major red flag and warrants immediate investigation.
- Excessive Permissions: Scrutinize the permissions granted. Does a simple document-scanning app really need the ability to read and send email on your behalf? The principle of least privilege should apply; apps should only have the permissions absolutely necessary to function.
- Generic or Deceptive App Names: Attackers often use generic names like “Email,” “Scanner,” or “Security Update” to trick users. They may also slightly misspell the names of popular, trusted applications.
- Suspicious Redirect URLs: The Redirect URL is where the application sends the authorization code after a user consents. These URLs should point to legitimate, known domains associated with the application provider. A URL pointing to a non-standard port, an IP address, or a suspicious domain is highly indicative of a malicious app.
- Recent Creation Dates and Low Usage: A newly registered application with high-level permissions granted by only one or a few users is a classic sign of a targeted consent phishing attack.
A Practical Approach to Auditing Your Tenant
Security teams can leverage PowerShell to automate the discovery and analysis of OAuth applications. By connecting to your tenant, you can run scripts to inventory all registered service principals and their delegated permissions.
When you find a potentially malicious application, the immediate response should be:
- Revoke Permissions: Immediately revoke all permissions granted to the application in the Azure AD portal.
- Disable the Service Principal: Disable the application’s service principal to block any further access.
- Investigate the Impact: Begin an investigation to determine which users granted consent and what data may have been accessed or exfiltrated. Check audit logs for unusual API activity associated with the application’s ID.
Best Practices for Preventing OAuth App Abuse
Hunting for existing threats is critical, but preventing them in the first place is the ultimate goal. You can significantly harden your Microsoft 365 environment by implementing the following security measures:
- Configure User Consent Settings: This is your most powerful defense. In the Azure AD portal, you can configure how and if users can consent to third-party applications. The most secure posture is to disable general user consent entirely.
- Establish an Admin Consent Workflow: If you disable user consent, you can enable the admin consent workflow. This allows users to request access to a new application, which a designated administrator must then review and approve. This ensures that every new application is vetted before it gains access to company data.
- Educate Your Users: Train employees to be skeptical of unexpected application consent requests. Teach them to carefully review the permissions being requested and to look for the “verified publisher” badge before accepting.
- Conduct Regular Application Audits: Don’t wait for a suspected breach. Make auditing registered OAuth applications a routine part of your security posture. The threat landscape changes daily, and a clean bill of health today doesn’t guarantee security tomorrow.
By treating third-party applications with the same scrutiny as any other access request, you can close a dangerous and often overlooked entry point for attackers and better protect your organization’s sensitive data.
Source: https://www.bleepingcomputer.com/news/security/find-hidden-malicious-oauth-apps-in-microsoft-365-using-cazadora/
