In Microsoft 365 environment one particular threat that has emerged with significant impact is the illicit consent grants attack. This sophisticated form of cyber attack manipulates the OAuth consent framework, tricking users into granting malicious applications access to their Microsoft 365 data. Recognizing and remediating these attacks is crucial for maintaining the integrity of your data and the security of your Microsoft 365 environment.
Understanding the Threat
An illicit consent grant occurs when a user is deceived into granting a third-party application permissions that it uses maliciously. These permissions can range from accessing basic user profile information to reading emails and files, potentially leading to data breaches.
Detection and Prevention
Review Audit Log
Periodically review Microsoft 365 audit logs to detect unusual consent grant activities. The best practice is to review your organizations consent grants on a weekly basis.
Steps for finding signs of this attack
Open the Microsoft Defender portal at https://security.microsoft.com and then select Audit. Or, to go directly to the Audit page, use https://security.microsoft.com/auditlogsearch.
On the Audit page, verify that the Search tab is selected, and then configure the following settings:
Date and time range
Activities: Verify that Show results for all activities is selected.
Click the Activity column to sort the results and look for Consent to application.
Select an entry from the list to see the details of the activity. Check to see if IsAdminConsent is set to True.
If you have one or more instances of the IOCs listed above, you need to do further investigation to positively confirm that the attack occurred.
You can check applications and their permissions using the Microsoft Entra admin center.
Sign in to the Azure portal with administrative rights.
Select the Microsoft Entra ID blade.
Select Users.
Select the user that you want to review.
Select Applications.
This will show you the apps that are assigned to the user and what permissions the applications have.
The simplest way to verify the Illicit Consent Grant attack is to run Get-AzureADPSPermissions.ps1, which will dump all the OAuth consent grants and OAuth apps for all users in your tenancy into one .csv file.
Pre-requisites
The Azure AD PowerShell library installed.
Global administrator rights on the tenant that the script will be run against.
Local Administrator on the computer from which will run the scripts.
Sign in to the computer that you will run the script from with local administrator rights.
Download or copy the Get-AzureADPSPermissions.ps1 script from GitHub to a folder from which you will run the script. This will be the same folder to which the output "permissions.csv" file will be written.
Open a PowerShell session as an administrator and open to the folder where you saved the script to.
Connect to your directory using the Connect-AzureAD cmdlet.
Run this PowerShell command:
.\Get-AzureADPSPermissions.ps1 | Export-csv -Path "Permissions.csv" -NoTypeInformationThe script produces one file named Permissions.csv. Follow these steps to look for illicit application permission grants:
In the ConsentType column (column G) search for the value "AllPrinciples". The AllPrincipals permission allows the client application to access everyone's content in the tenancy. Native Microsoft 365 applications need this permission to work correctly. Every non-Microsoft application with this permission should be reviewed carefully.
In the Permission column (column F) review the permissions that each delegated application has to content. Look for "Read" and "Write" permission or "All" permission, and review these carefully because they may not be appropriate.
Review the specific users that have consents granted. If high profile or high impact users have inappropriate consents granted, you should investigate further.
In the ClientDisplayName column (column C) look for apps that seem suspicious. Apps with misspelled names, super bland names, or hacker-sounding names should be reviewed carefully.
Determine the scope of the attack
After you have finished inventorying application access, review the audit log to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the audit log in the Microsoft Defender portal.
Remediate the attack
After you have identified an application with illicit permissions, you have several ways to remove that access.
You can revoke the application's permission in the Microsoft Entra admin center by:
Navigate to the affected user in the Microsoft Entra user blade.
Select Applications.
Select the illicit application.
Click Remove in the drill down.
You can revoke the OAuth consent grant with PowerShell by following the steps in Remove-AzureADOAuth2PermissionGrant.
You can revoke the Service App Role Assignment with PowerShell by following the steps in Remove-AzureADServiceAppRoleAssignment.
You can also disable sign-in for the affected account altogether, which will in turn disable app access to data in that account. This isn't ideal for the end user's productivity, of course, but if you are working to limit impact quickly, it can be a viable short-term remediation.
You can turn integrated applications off for your tenancy. This is a drastic step that disables the ability for end users to grant consent on a tenant-wide basis. This prevents your users from inadvertently granting access to a malicious application. This isn't strongly recommended as it severely impairs your users' ability to be productive with third party applications. You can do this by following the steps:
In the Microsoft 365 admin center, go to the Settings > Org settings > Services page, and then select User consent to apps.
On the User consent to apps page, select the option to turn user consent off.
Educating Users
Inform users about the risks associated with granting permissions to third-party applications.
Encourage users to report any suspicious consent request they encounter.
Staying vigilant and proactive in your cybersecurity practices is essential in the fight against illicit consent grants. By combining user education, and regular monitoring along with leveraging managed security and compliance services, organizations can protect themselves effectively against these types of cyber threats.
To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.