Potential Illicit Consent Grant attack via Azure registered application

azure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

Set up the azure integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.

Strategy

Monitor Azure AD Audit logs for the following @evt.name:

  • Consent to application

Monitor Microsoft 365 Audit logs for the following @evt.name:

  • Consent to application.

Because these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.

Triage and response

  1. See the official Microsoft playbook on responding to a potential Illicit Consent Grant.
  2. If the activity is benign:
    • Use the linked blog post in the suggested actions panel to tune out false positives.