Potential Illicit Consent Grant attack via Azure registered application

azure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

Set up the azure integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.

Strategy

Monitor Azure AD Audit logs for the following @evt.name:

  • Consent to application

Monitor Microsoft 365 Audit logs for the following @evt.name:

  • Consent to application.

Because these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.

Triage and response

  1. See the official Microsoft playbook on responding to a potential Illicit Consent Grant.
  2. If the activity is benign:
    • Use the linked blog post in the suggested actions panel to tune out false positives.
PREVIEWING: rtrieu/product-analytics-ui-changes