title: Cloud Application Integration (T1671)
id: df00tech-t1671
status: experimental
description: "This detection identifies adversaries achieving persistence in SaaS environments by abusing OAuth application integrations. Attackers register malicious applications, hijack existing integrations, or consent to adversary-controlled apps from high-privileged accounts to maintain access even after account compromise or password resets. Detection focuses on anomalous OAuth consent grants, new application registrations, service principal creation, and permission escalation events in Microsoft 365, Azure AD/Entra ID, and Google Workspace environments. Particular attention is paid to admin consent grants for high-privilege scopes, application registrations from non-admin users, and OAuth grants that occur outside normal business workflows."
references:
  - https://attack.mitre.org/techniques/T1671/
  - https://df00tech.com/detections/T1671
author: df00tech
date: 2026/03/20
tags:
  - attack.t1671
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate IT administrators deploying enterprise applications that require admin consent for business-critical permissions
  - "Productivity application onboarding during organizational rollouts (e.g., deploying a new CRM, ITSM, or HR integration)"
  - "Third-party security vendors requiring Mail.Read or Directory.Read.All for legitimate CASB, DLP, or threat protection services"
  - Developers registering applications in development tenants or sandbox environments for testing purposes
  - Microsoft-published first-party applications being re-consented after permission scope changes in product updates
level: high