Detect Suspicious OAuth Application Consent Grant in Microsoft 365 in Sumo Logic CSE
Illicit OAuth consent grants are a persistent M365 attack vector where users are tricked into granting third-party applications excessive permissions to their Microsoft 365 data. Attackers register OAuth apps with convincing names ('HR Document Portal', 'Microsoft Security Update', 'Teams Bot') and send phishing emails directing users to 'consent' to the app. Once consented, the attacker's app has persistent API access (often with Mail.Read, Contacts.Read, Files.Read, or offline_access) without needing the user's credentials or bypassing MFA. Microsoft documented Storm-0558 and Midnight Blizzard using this technique. NCSC UK warns that illicit consent grants are particularly effective against SMBs because many lack admin consent workflows. Attackers can also use 'consent phishing' through OAuth apps registered in the same Entra ID tenant after initial compromise.
MITRE ATT&CK
- Tactic
- Credential Access Collection
Sumo Detection Query
_sourceCategory=azure/aad/audit OR _sourceCategory=azure/active_directory/audit
| json field=_raw "operationName" as OperationName nodrop
| json field=_raw "result" as Result nodrop
| where OperationName in (
"Consent to application",
"Add delegated permission grant",
"Add OAuth2PermissionGrant",
"Add app role assignment to service principal"
)
| where Result = "success"
| json field=_raw "targetResources[0].displayName" as AppName nodrop
| json field=_raw "targetResources[0].id" as AppId nodrop
| json field=_raw "initiatedBy.user.userPrincipalName" as ConsentorUPN nodrop
| json field=_raw "initiatedBy.user.ipAddress" as ConsentorIP nodrop
| json field=_raw "additionalDetails" as AdditionalDetails nodrop
| where matches(AdditionalDetails, "(?i)(Mail\.Read|Mail\.ReadWrite|Mail\.Send|Mail\.ReadBasic\.All|Files\.Read\.All|Files\.ReadWrite\.All|offline_access|Directory\.Read\.All|User\.Read\.All|User\.ReadWrite\.All|Contacts\.Read|Contacts\.ReadWrite|Sites\.Read\.All|Sites\.ReadWrite\.All|MailboxSettings\.ReadWrite|Calendars\.ReadWrite|Group\.Read\.All)")
OR OperationName = "Add app role assignment to service principal"
| count as ConsentEvents by ConsentorIP, AppName, AppId, ConsentorUPN, OperationName
| sort by ConsentEvents desc
| fields ConsentorIP, AppName, AppId, ConsentorUPN, OperationName, ConsentEventsDetects illicit OAuth consent grants in Microsoft Azure Active Directory / Entra ID where users or admins grant third-party applications sensitive M365 API permissions. Parses Azure AD audit log JSON to extract app identity, consenting user, and permission scopes. Surfaces consent phishing patterns used by Storm-0558 and Midnight Blizzard, including bulk consent events from a single IP and app role assignment grants.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate deployment of approved enterprise OAuth applications by IT administrators that require broad permissions for business functionality such as backup, DLP, or archiving solutions
- ISV software integrations connecting to Microsoft 365 during product trials or onboarding where the vendor's app requests standard delegated scopes
- Microsoft-published applications being consented for the first time after new tenant policies, license changes, or Copilot feature roll-outs that require explicit admin consent
Other platforms for THREAT-M365-SuspiciousOAuthConsent
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Illicit OAuth Consent Grant Simulation
Expected signal: Azure AD Audit log records 'Consent to application' event with Mail.Read, offline_access, and Files.Read.All permissions for the test user.
Unlock Pro Content
Get the full detection package for THREAT-M365-SuspiciousOAuthConsent including response playbook, investigation guide, and atomic red team tests.