Consent (OAuth) phishing…from attack to detect to prevent with Microsoft Defender for Cloud Apps

The attack

The attack starts by creating an Azure app registration in Azure AD, let’s call our app OAuth example.

Microsoft Defender for Cloud Apps (MDCA)

Microsoft Defender for Cloud Apps (previous Microsoft Cloud App Security) can detect OAuth attacks via Threat detection policies.

Azure AD

Prevention is better than the cure is also relevant in this type of attack. Like mentioned before user app consent is enabled by default. Change the user consent (Azure AD -> Enterprise Application -> User settings) to admin app consent (by disabling user consent) and configure the admin app consent workflow

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store