THREAT-M365-SuspiciousOAuthConsent Google Chronicle · YARA-L

Detect Suspicious OAuth Application Consent Grant in Microsoft 365 in Google Chronicle

Illicit OAuth consent grants are a persistent M365 attack vector where users are tricked into granting third-party applications excessive permissions to their Microsoft 365 data. Attackers register OAuth apps with convincing names ('HR Document Portal', 'Microsoft Security Update', 'Teams Bot') and send phishing emails directing users to 'consent' to the app. Once consented, the attacker's app has persistent API access (often with Mail.Read, Contacts.Read, Files.Read, or offline_access) without needing the user's credentials or bypassing MFA. Microsoft documented Storm-0558 and Midnight Blizzard using this technique. NCSC UK warns that illicit consent grants are particularly effective against SMBs because many lack admin consent workflows. Attackers can also use 'consent phishing' through OAuth apps registered in the same Entra ID tenant after initial compromise.

MITRE ATT&CK

Tactic
Credential Access Collection

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule suspicious_oauth_consent_grant_m365 {
  meta:
    author = "Detection Engineering"
    description = "Detects illicit OAuth consent grants with sensitive API permissions in Microsoft 365 / Entra ID — covers Storm-0558 and Midnight Blizzard consent phishing"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1098.003"
    false_positives = "Legitimate IT-sanctioned app deployments, ISV onboarding, Microsoft first-party app consent"
    reference = "https://www.microsoft.com/security/blog/2023/09/07/microsoft-mitigates-china-based-threat-actor-storm-0558"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "Azure Active Directory"
    $e.metadata.product_event_type in nocase (
      "Consent to application",
      "Add delegated permission grant",
      "Add OAuth2PermissionGrant",
      "Add app role assignment to service principal"
    )
    $e.security_result.action = "ALLOW"
    (
      re.regex(
        $e.target.resource.attribute.labels["permissions"],
        `(?i)(Mail\.Read|Mail\.ReadWrite|Mail\.Send|Mail\.ReadBasic\.All|Files\.Read\.All|Files\.ReadWrite\.All|offline_access|Directory\.Read\.All|User\.Read\.All|User\.ReadWrite\.All|Contacts\.Read|Contacts\.ReadWrite|Sites\.Read\.All|Sites\.ReadWrite\.All|MailboxSettings\.ReadWrite|Calendars\.ReadWrite|Group\.Read\.All)`
      ) or
      re.regex($e.metadata.product_event_type, `(?i)admin\s+consent`) or
      $e.metadata.product_event_type = "Add app role assignment to service principal"
    )
    $user = $e.principal.user.email_addresses[0]
    $app = $e.target.application
    $src_ip = $e.principal.ip

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting illicit OAuth application consent grants in Microsoft 365 and Entra ID. Matches consent and delegation grant events where sensitive API permission scopes covering mail, files, contacts, calendar, or directory are granted to a third-party or newly registered OAuth application. Targets persistent API-access patterns attributed to Storm-0558 and Midnight Blizzard that bypass MFA by operating entirely through OAuth tokens.

Data Sources

Azure Active Directory Audit Logs ingested into Chronicle via Google Cloud Log IngestionMicrosoft 365 Unified Audit Log via Chronicle M365 ingestionEntra ID sign-in and audit events via Chronicle Azure AD parser

Required Tables

azure_ad

False Positives & Tuning

  • Legitimate enterprise application deployments where IT administrators intentionally consent to broad permissions for approved internal or third-party SaaS tools including CASB, archiving, and eDiscovery platforms
  • Automated CI/CD pipeline service principal grants for DevOps tooling accessing SharePoint Online or Exchange Online as part of infrastructure automation
  • Microsoft-published first-party applications such as Teams, Viva, or Microsoft 365 Copilot receiving admin consent during new feature activation or license expansion events
Download portable Sigma rule (.yml)

Other platforms for THREAT-M365-SuspiciousOAuthConsent

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Illicit OAuth Consent Grant Simulation

    Expected signal: Azure AD Audit log records 'Consent to application' event with Mail.Read, offline_access, and Files.Read.All permissions for the test user.

Last updated: 2026-04-27 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for THREAT-M365-SuspiciousOAuthConsent including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550.001Application Access Token

Related Techniques

T1550.001Application Access TokenT1114.002Remote Email CollectionT1528Steal Application Access TokenT1566.002Spearphishing Link

Same Tactic: Credential Access

Popular Detections