THREAT-M365-SuspiciousOAuthConsent Microsoft Sentinel · KQL

Detect Suspicious OAuth Application Consent Grant in Microsoft 365 in Microsoft Sentinel

Illicit OAuth consent grants are a persistent M365 attack vector where users are tricked into granting third-party applications excessive permissions to their Microsoft 365 data. Attackers register OAuth apps with convincing names ('HR Document Portal', 'Microsoft Security Update', 'Teams Bot') and send phishing emails directing users to 'consent' to the app. Once consented, the attacker's app has persistent API access (often with Mail.Read, Contacts.Read, Files.Read, or offline_access) without needing the user's credentials or bypassing MFA. Microsoft documented Storm-0558 and Midnight Blizzard using this technique. NCSC UK warns that illicit consent grants are particularly effective against SMBs because many lack admin consent workflows. Attackers can also use 'consent phishing' through OAuth apps registered in the same Entra ID tenant after initial compromise.

MITRE ATT&CK

Tactic
Credential Access Collection

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// THREAT: Suspicious OAuth Application Consent Grant
// Detects illicit OAuth consent grants in Microsoft 365 / Entra ID
// Primary telemetry: Azure AD Audit Logs, O365 audit logs

// Alert 1: High-privilege OAuth application consent grants
let SensitivePermissions = dynamic([
  "Mail.Read", "Mail.ReadWrite", "Mail.Send",
  "Mail.ReadBasic.All", "MailboxSettings.ReadWrite",
  "Files.Read.All", "Files.ReadWrite.All",
  "Contacts.Read", "Contacts.ReadWrite",
  "User.Read.All", "User.ReadWrite.All",
  "Group.Read.All", "Directory.Read.All",
  "offline_access", "Calendars.ReadWrite",
  "Sites.Read.All", "Sites.ReadWrite.All"
]);
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Consent to application", "Add app role assignment to service principal",
    "Add delegated permission grant", "Add OAuth2PermissionGrant")
| where Result =~ "success"
| extend AppName = tostring(TargetResources[0].displayName)
| extend GrantedPermissions = tostring(AdditionalDetails)
| extend ConsentorIP = tostring(InitiatedBy.user.ipAddress)
| extend ConsentorUPN = tostring(InitiatedBy.user.userPrincipalName)
| where GrantedPermissions has_any (SensitivePermissions)
    or OperationName has "admin consent"
| project TimeGenerated, OperationName, AppName, ConsentorUPN,
    ConsentorIP, GrantedPermissions, TargetResources
| extend ThreatType = "OAuthConsent_SensitivePermissions";
// Alert 2: First-time application consent (new app never seen before in tenant)
let KnownApps = AuditLogs
| where TimeGenerated between (ago(90d) .. ago(1d))
| where OperationName has "Consent to application"
| extend AppId = tostring(TargetResources[0].id)
| distinct AppId;
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has "Consent to application"
| extend AppId = tostring(TargetResources[0].id)
| extend AppName = tostring(TargetResources[0].displayName)
| where AppId !in~ (KnownApps)
| project TimeGenerated, AppName, AppId, InitiatedBy, TargetResources
| extend ThreatType = "OAuthConsent_NewUnseenApplication"
high severity high confidence

Dual OAuth consent detection: (1) consent grants that include sensitive permissions (Mail.Read, Files.Read.All, offline_access) — these are the permissions attackers seek to maintain persistent email and file access; (2) consents to applications not seen in the tenant in the past 90 days — first-time app consents from non-admin users are a common illicit consent grant pattern. Both should trigger review against Microsoft AppSource or your internal app registry.

Data Sources

Azure AD Audit Logs (AuditLogs)Office 365 Unified Audit Log (OfficeActivity)Microsoft 365 Defender

Required Tables

AuditLogsOfficeActivity

False Positives & Tuning

  • IT administrators deploying approved third-party Microsoft 365 integrations (Slack, Zoom, Adobe, DocuSign) and granting required permissions
  • Users adding approved productivity apps from Microsoft AppSource that request standard permissions
  • Microsoft-published applications (Power Automate, Power BI) requesting permissions during initial setup
  • Internal developers registering apps for legitimate automation workflows
Download portable Sigma rule (.yml)

Other platforms for THREAT-M365-SuspiciousOAuthConsent

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Illicit OAuth Consent Grant Simulation

    Expected signal: Azure AD Audit log records 'Consent to application' event with Mail.Read, offline_access, and Files.Read.All permissions for the test user.

Last updated: 2026-04-27 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for THREAT-M365-SuspiciousOAuthConsent including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550.001Application Access Token

Related Techniques

T1550.001Application Access TokenT1114.002Remote Email CollectionT1528Steal Application Access TokenT1566.002Spearphishing Link

Same Tactic: Credential Access

Popular Detections