azure attacks azure-ad Malicious OAuth application consent

Malicious OAuth application consent

PLATFORM

SERVICE

azure-ad

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

high

About

OAuth applications are used to grant access to a user's data in a third-party application. When a user grants access to an OAuth application, the application receives an access token that can be used to access the user's data.

Understanding Impact

Business Impact

If a user grants access to a malicious third-party application, for instance through social engineering, the application can access the user's data and perform actions on their behalf.

Technical Impact

Malicious OAuth applications have been used in the wild, in particular through phishing campaigns. Once the user has authorized the third-party application, the attacker can use the access token to access the user's data such as Office 365 mailbox, independently of whether the user has MFA enforced.

  • Step 1: The attacker creates a malicious cross-tenant Azure AD application, and configures it to request "delegated permissions" to user data.
  • Step 2: The attacker creates a redirect URL for the malicious application and sends it to a victim user.
  • Step 3: The victim clicks on the link, and is redirected to the malicious application's consent page.
  • Step 4: The victim grants the required permissions to the malicious application by clicking the "Allow access" button.
  • Step 5: The victim is redirected to an attacker-controlled page, and the malicious application receives an access token to access the victim's data through the Microsoft Graph API.

Detection

When a user grants access to a third-party Azure AD application, a Consent to application event is logged in Azure AD Audit logs. This event contains the application ID of the application that was granted access, the user who granted access, and the permissions granted.

Sample event (shortened for clarity):

{
  "category": "ApplicationManagement",
  "result": "success",
  "activityDisplayName": "Consent to application",
  "initiatedBy": {
    "user": {
      "id": "c1aa0ae0-d18e-4eb3-92de-fea8ec3436b2",
      "userPrincipalName": "victim-user@domain.tld",
      "ipAddress": "1.1.1.1"
    }
  },
  "targetResources": [
    {
      "id": "7507edf1-ab3a-47a4-9267-05eb5ae8052c",
      "displayName": "Malicious OAuth App",
      "type": "ServicePrincipal",
      "modifiedProperties": [
        {
          "displayName": "ConsentAction.Permissions",
          "oldValue": null,
          "newValue": "(...)Scope:  openid offline_access People.Read Contacts.Read.Shared Mail.Read"
        }
      ]
    }
  ]
}

There's also been reported cases of attackers creating a malicious application inside the victim's tenant in order to compromise other accounts. To prevent this, prevent users from creating applications in your tenant (by default, all users can create applications).

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Potential Illicit Consent Grant attack via Azure registered application".

References

Malicious OAuth applications abuse cloud email services to spread spam

azure documentation

Attackers used malicious “verified” OAuth apps to infiltrate organizations’ O365 email accounts

helpnetsecurity.com

Overview of the admin consent workflow

azure documentation

Configure the admin consent workflow

azure documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 12 positions

view all