THREAT-M365-SuspiciousOAuthConsent IBM QRadar · QRadar

Detect Suspicious OAuth Application Consent Grant in Microsoft 365 in IBM QRadar

Illicit OAuth consent grants are a persistent M365 attack vector where users are tricked into granting third-party applications excessive permissions to their Microsoft 365 data. Attackers register OAuth apps with convincing names ('HR Document Portal', 'Microsoft Security Update', 'Teams Bot') and send phishing emails directing users to 'consent' to the app. Once consented, the attacker's app has persistent API access (often with Mail.Read, Contacts.Read, Files.Read, or offline_access) without needing the user's credentials or bypassing MFA. Microsoft documented Storm-0558 and Midnight Blizzard using this technique. NCSC UK warns that illicit consent grants are particularly effective against SMBs because many lack admin consent workflows. Attackers can also use 'consent phishing' through OAuth apps registered in the same Entra ID tenant after initial compromise.

MITRE ATT&CK

Tactic
Credential Access Collection

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(startTime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  username AS ConsentorUPN,
  sourceip AS ConsentorIP,
  QIDNAME(qid) AS OperationName,
  "deviceCustomString1" AS AppName,
  "deviceCustomString3" AS PermissionsGranted,
  CATEGORYNAME(category) AS CategoryName,
  magnitude
FROM events
WHERE LOGSOURCETYPEID(devicetype) = 413
  AND (
    LOWER(QIDNAME(qid)) = 'consent to application'
    OR LOWER(QIDNAME(qid)) = 'add delegated permission grant'
    OR LOWER(QIDNAME(qid)) = 'add oauth2permissiongrant'
    OR LOWER(QIDNAME(qid)) = 'add app role assignment to service principal'
  )
  AND (
    "deviceCustomString3" ILIKE '%Mail.Read%'
    OR "deviceCustomString3" ILIKE '%Mail.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Mail.Send%'
    OR "deviceCustomString3" ILIKE '%Mail.ReadBasic.All%'
    OR "deviceCustomString3" ILIKE '%Files.Read.All%'
    OR "deviceCustomString3" ILIKE '%Files.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%offline_access%'
    OR "deviceCustomString3" ILIKE '%Directory.Read.All%'
    OR "deviceCustomString3" ILIKE '%User.Read.All%'
    OR "deviceCustomString3" ILIKE '%User.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%Contacts.Read%'
    OR "deviceCustomString3" ILIKE '%Contacts.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Sites.Read.All%'
    OR "deviceCustomString3" ILIKE '%Sites.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%MailboxSettings.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Calendars.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Group.Read.All%'
    OR LOWER(QIDNAME(qid)) = 'add app role assignment to service principal'
  )
ORDER BY startTime DESC
LAST 24 HOURS
high severity medium confidence

Detects suspicious OAuth application consent grants in Microsoft Azure AD / Entra ID by querying for consent and permission-grant operations that include sensitive API permission scopes. LOGSOURCETYPEID 413 corresponds to the Microsoft Azure Active Directory DSM in QRadar. Targets permissions associated with persistent email, file, and directory access used in Storm-0558 and Midnight Blizzard consent phishing campaigns.

Data Sources

Microsoft Azure Active Directory DSM (LOGSOURCETYPEID 413)Azure Monitor Logs forwarded to QRadar via Syslog or Azure Event HubMicrosoft Office 365 DSM for unified audit log events

Required Tables

events

False Positives & Tuning

  • Enterprise application deployments by IT where administrators intentionally grant broad OAuth permissions to approved productivity or security tools during onboarding or integration setup
  • Automated provisioning via Azure DevOps or infrastructure-as-code pipelines creating service principals with application-level permissions to Exchange Online or SharePoint
  • Periodic re-consent workflows triggered by Microsoft after permission scope changes, Conditional Access policy updates, or tenant-wide admin consent policy enforcement changes
Download portable Sigma rule (.yml)

Other platforms for THREAT-M365-SuspiciousOAuthConsent

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Illicit OAuth Consent Grant Simulation

    Expected signal: Azure AD Audit log records 'Consent to application' event with Mail.Read, offline_access, and Files.Read.All permissions for the test user.

Last updated: 2026-04-27 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for THREAT-M365-SuspiciousOAuthConsent including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550.001Application Access Token

Related Techniques

T1550.001Application Access TokenT1114.002Remote Email CollectionT1528Steal Application Access TokenT1566.002Spearphishing Link

Same Tactic: Credential Access

Popular Detections