User Consent to apps from a SOC Perspective

4 min readSep 14, 2020

TLDR; disable user consent and configure admin consent workflow

Credential phishing is the #1 attack on user(s) to steal user credentials. A new type of attack, called consent phishing, is emerging with the different Cloud platforms like Office 365 and Google. User consent (granting authorization to an application) also bypasses ‘password’ and MFA (Multi-Factor Authentication) protection.

By accepting consent (OpenID Connect or OAuth 2.0), the bad actor has access to the mailbox (read e-mail, create forward rule, etc.)

Microsoft Graph Api

If consent is given with mailbox permissions, the bad actor can read all e-mails. The Microsoft Graph is an example to read the mailbox via a GET command via a GUI (graphical user interface.

The Microsoft Graph explorer URL is https://developer.microsoft.com/en-us/graph/graph-explorer (in the example we sign in a user but consent has the same permissions without sign-in) and use the Outlook RESP API to read the mailbox via https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messages

NIST Cybersecurity Framework

Protect is the security baseline (2nd function in the NIST Cybersecurity framework) to prevent cybersecurity breaches.

Detect and respond (3rd and 4th function) are SOC (Security Operations Center) functions because no protect framework is 100% proof.

Protect

To protect against user consent phishing attack(s), disable user consent and configure admin consent workflow.

First disable user consent via the Office 365 Admin portal (Org settings) or Azure portal, this setting is enabled by default.

Second configure admin consent workflow via the Azure portal (Azure Active Directory — Enterprise applications).

Enable the setting and select the Admin(s) to approve user consent.

Detect

To detect malicious user / app consent we can use Microsoft Cloud App Security (MCAS) and/or Azure Sentinel.

Microsoft Cloud App Security

Microsoft Cloud App Security (MCAS), the CASB (Cloud Access Security Broker) solution from Microsoft, can manage (detect) OAuth apps. The apps are categorized by permissions level (high, medium, and low)

Microsoft Cloud App Security is part of the Microsoft 365 E5 (Security) license.

Indicators of malicious behavior area

- Community use
- Authorized by (single user can be more malicious then multiple users)
- Permission level (high has continues access to data)

MCAS has the option to create a OAuth app anomaly detection policies.

- Misleading OAuth app name
- Misleading publisher name for an OAuth app|
- Malicious OAuth app consent
- Suspicious OAuth app file download activities

See https://docs.microsoft.com/en-us/cloud-app-security/app-permission-policy

Azure Sentinel

Azure Sentinel is the cloud native SIEM (Security Information & Event Management) from Microsoft. The Data Connector log source is Azure Active Directory (AuditLogs).

Microsoft created a Hunting query to discover ‘consent to application’ operations.

The output could indicate that permissions to access the application was provided by a malicious user.

See https://github.com/Azure/Azure-Sentinel/blob/a3d9984d88377a02a2f94caaf67e3d5828d972de/Hunting%20Queries/AuditLogs/ConsentToApplicationDiscovery.yaml for the query.

Respond

Access to malicious applications can be mitigated via:

Azure AD

Enterprise applications can be reviewed (permissions) and consent permissions can be removed via Azure AD (permissions on the Enterprise applications).