Description

(00:00:00) Mission Briefing: Protecting Against Tenant Breaches

(00:00:41) The Enemy's Tactics: Consent Phishing and Token Theft

(00:04:35) The Attack Chain: From Consent to Token Abuse

(00:06:22) Detecting and Preventing Consent Phishing

(00:14:41) Lateral Movement: From Mailbox to SharePoint

(00:17:23) Exfiltration and Data Theft

(00:20:26) Implementing Effective Defenses

(00:26:01) Closing Remarks and Key Takeaways



Perimeter defense is a lie. In this mission briefing, we walk through a real-world style Microsoft 365 breach where attackers use consent phishing, AiTM token theft, and OAuth abuse to bypass MFA, replay stolen cookies, and live off the land with Microsoft Graph. You’ll see the exact Entra logs, Sentinel analytics, and controls that matter—plus the one policy that breaks the entire attack chain: consent control. If you run M365, Entra ID, or Sentinel, this is mandatory listening.

Opening – The Lie of Perimeter Defense Officers, you’re briefed into a different war. Firewalls guard borders, but modern attacks don’t cross borders—they hijack identity. MFA looks like a shield, but stolen tokens and consented apps glide past it like cloaked ships. In this episode, we map an end-to-end Microsoft 365 breach:

• Starting in the attacker’s cockpit
• Following consent phishing, AiTM token theft, and OAuth abuse
• Ending with concrete detections (KQL, Sentinel) and Entra policies you can deploy today

There is one policy that breaks this chain. Stay sharp. Segment 1 – Threat Intel Brief: What Modern Crews Actually Do We begin with the current threat picture:

• Phishing-as-a-Service & AiTM kits: turnkey infrastructure to steal credentials and session cookies together.
• Malicious multi-tenant OAuth apps: used as roaming “gunships” across tenants, abusing legitimate Microsoft identity flows.
• Goal set:
  • Take the mailbox
  • Siphon SharePoint / OneDrive
  • Persist via app consent, refresh tokens, and mail rules

Why traditional defenses fail:

• MFA stops passwords—not replayable sessions.
• Admin portals don’t highlight OAuth sprawl or service principals by default.
• Telemetry exists, but detection rules and UEBA are often missing or under-tuned.

Telemetry that actually matters:

• Entra ID / Azure AD
  • “Consent to application”
  • “ServicePrincipal created”
  • “AppRoleAssignedTo”
  • Sign-in logs with “Authentication requirements satisfied” (including cookie replay patterns)
• Exchange / MailboxAudit
  • New inbox rules, hidden rules, external forwarding
• SharePoint / Unified Audit Log
  • FileAccessed / FileDownloaded with AppId stamps
• App registrations & service principals
  • New credentials, updated permissions, scope creep

Key doctrine:

• Don’t just guard logins—bind tokens and govern consent.
• Use Token Protection and risk-based Conditional Access to make stolen cookies worthless and cut risky sessions mid-flight.

Segment 2 – Initial Access: Consent Phishing + Token Theft Here’s how the breach starts:

• User hits an AiTM phishing page (invoice, payroll, SharePoint link).
• Reverse proxy relays real Microsoft login → MFA succeeds → session cookie is captured.
• In the same flow, a benign-looking multi-tenant OAuth app asks for consent:
  • Scopes like User.Read, Mail.Read, offline_access
• The user approves.
• Attacker now holds:
  • A stolen cookie (for replay)
  • A sanctioned service principal (for long-term Graph access)

Key telemetry & detections:

• Entra Audit:
  • “Consent to application” → “ServicePrincipal created” → “AppRoleAssignedTo”
• Entra Sign-in logs:
  • “Authentication requirements satisfied” from a new device / country minutes after the real login
• Exchange MailboxAudit:
  • Inbox rules or forwarding after consent (to blind the user)
• Unified Audit / SharePoint:
  • FileAccessed / FileDownloaded showing an AppId instead of Outlook/browser

Detection ideas:

• Sentinel analytics for consent events by high-value users or unfamiliar IPs
• Watchlists of sanctioned AppIds; anything else is priority
• UEBA for impossible travel and sudden session switching that screams hijack
• Alerts on new service principals with scopes like Mail.ReadWrite, Files.Read.All, Sites.Read.All, offline_access

Quick wins:

• Disable user consent tenant-wide or limit to low-risk scopes + verified publishers.
• Enable admin consent workflow for everything else.
• Turn on Token Protection for Exchange/SharePoint where supported.
• Use Conditional Access (sign-in risk, compliant device, workload-specific controls) to block risky replay.

Segment 3 – Persistence: Living Off the Land with OAuth & Mail Rules Once inside, attackers shift from sprint to residency:

• offline_access + refresh tokens = long-lived Graph access without the user.
• Hidden inbox rules hide security emails and alerts.
• A second, more “normal” app may be deployed as a backup persistence mechanism.
• Scopes quietly upgrade over time from Mail.Read → Mail.ReadWrite, Sites.Read.All → Files.Read.All.

Telemetry & detections:

• Entra Audit:
  • Update application, Add passwordCredential, Add keyCredential on service principals
• AppRoleAssignedTo:
  • Scope creep to high-value permissions
• Exchange MailboxAudit / Admin logs:
  • New inbox rules, external forwarding, mailbox configuration changes
• Sentinel:
  • Analytics for external forwarding rules
  • UEBA for Graph call volume spikes from a single AppId

Remediation doctrine:

• Revoke app consent and delete OAuth2PermissionGrants for malicious apps.
• Disable or delete service principals; rotate secrets for legitimate apps that may be impacted.
• Force sign-outs, revoke refresh tokens, and require re-auth for affected identities.
• Implement Conditional Access session controls and Token Protection so replay dies at the gate.

Segment 4 – Lateral Movement: From Mailbox to SharePoint to Keys With persistence established, attackers move laterally:

• Use mailbox intel to find:
  • Project code names
  • SharePoint site URLs
  • Vendors and payment flows
• Use Graph with Sites.Read.All / Files.Read.All to enumerate and harvest high-value content.
• Use directory read scopes to map admins, groups, app roles, and further targets.
• Launch BEC-style attacks using real threads and context.<

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.

If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.