Nowadays business are being compromised by an Office pop up asking them to grant permissions to what that looks like a normal Office app. But, when you click on accept, you’re unknowingly providing a bad actor’s application access to your contact info, mailbox settings, and sign-in access.
The following action is to impersonate the victim, sending emails and accessing to their files in their behalf, and thus this application are external to the organization, the attacker can access to the account info without MFA.
Scary stuff that you probably want to avoid, isn’t it?
What can I do to prevent the attack?
In order to reduce this risk, you can change the configuration of your tenant to only install applications that are approved by an admin. Also keep in mind a hardening of the tenant. By doing this, you will avoid some problems in the future
How I can detect those actions?
Want to see if you’ve had this happen already?
- Open the Security & Compliance Center at https://protection.office.com.
- Navigate to Search and select Audit log search.
- Search (all activities and all users) and enter the start date and end date if required and then click Search.
- Click Filter results and enter Consent to application in the Activity field.
- Click on the result to see the details of the activity. Click More Information to get details of the activity. Check to see if IsAdminContent is set to True.
How I can respond to those attacks?
If you have identified an application with illicit permissions, you can revoke the applications permission in the AAD portal:
- You can revoke the application’s permission in the Azure Active Directory Portal by:
- Navigate to the affected user in the Azure Active Directory User blade.
- Select Applications.
- Select the illicit application.
- Click Remove in the drill down. Then, do reconnassaince on any accounts that had consented to the app, resetting their password, requiring MFA, and digging through Cloud App Security and other logging tools to find out what has been done in the account. Look for phishing emails sent to other users in the organization and to the contact lists, files accessed on OneDrive or SharePoint, etc.