Fluency continues to secure Microsoft365 by releasing thirteen (13) behavioral models for the detection of illicit applications. Although these types of attacks pose a serious threat to an organization’s security, M365 does not directly alert organizations about actions that are indicative of this threat. With its behavioral models, Fluency is able to use M365 audit data and events to detect the operations and patterns associated with illicit consent grant attacks.
An illicit consent grant attack, or app consent attack, uses permission grants to gain access to protected data. These attacks utilize operations that allow a person or organization to grant an application permission to access protected resources on behalf of the user or organization. This can happen to an administrative user or a standard user. While application consent is a normal action that is necessary for the addition of useful applications, these permissions can be manipulated by an attacker and must be monitored in order to detect suspicious behavior and circumstances.
Access to an administrator’s account can be much more beneficial to an attacker than access to a standard user’s account, which means these accounts have a higher risk associated when they are compromised. In the case of an administrator’s account being compromised and used to grant application permissions, a malicious user may be able to not only grant themselves access to read organization-wide files and resources but may potentially be able to grant themselves permission to write to these files as well.
The following admin types are able to grant admin consent to all of the organization’s data:
Global Administrator
Application Administrator
Cloud Application Administrator
The full documentation on the details of this attack can be found here:
Fluency has the ability to detect these suspicious operations, using both the operations themselves and correlation rules to highlight the circumstances surrounding them. The following models were developed in order to detect app consent attacks:
O365_Add_Application
O365_Update_Application
O365_Update_Application_Credential
O365_Add_Application_Role_Assignment
O365_Consent_To_Application
O365_Admin_Consent_To_Application
O365_Remove_Service_Principal
O365_Add_Member_To_Role
O365_Remove_Member_From_Role
The first seven models have to do with manipulating an application directly. These models indicate the creation or update of an application and, potentially, its permissions. Alerts triggered by these models should be monitored in order to ensure they are legitimate.
The last two models, when triggered in conjunction with the others, are indicative of suspicious behavior. These operations could indicate that a malicious entity gave a user an administrative role in order to grant global permissions, then removed the role in an attempt to deter suspicion.
In addition to this, four Resource Watch models were created that aid in the detection of app consent attacks. Resource Watch is a new feature soon to be released on Fluency that grants a further level of visibility in order to detect attacks and suspicious behavior.