title: Suspicious OAuth Application Consent Grant in Microsoft 365 (THREAT-M365-SuspiciousOAuthConsent)
id: df00tech-threat-m365-suspiciousoauthconsent
status: experimental
description: "Illicit OAuth consent grants are a persistent M365 attack vector where users are tricked into granting third-party applications excessive permissions to their Microsoft 365 data. Attackers register OAuth apps with convincing names ('HR Document Portal', 'Microsoft Security Update', 'Teams Bot') and send phishing emails directing users to 'consent' to the app. Once consented, the attacker's app has persistent API access (often with Mail.Read, Contacts.Read, Files.Read, or offline_access) without needing the user's credentials or bypassing MFA. Microsoft documented Storm-0558 and Midnight Blizzard using this technique. NCSC UK warns that illicit consent grants are particularly effective against SMBs because many lack admin consent workflows. Attackers can also use 'consent phishing' through OAuth apps registered in the same Entra ID tenant after initial compromise."
references:
  - https://attack.mitre.org/techniques/THREAT-M365-SuspiciousOAuthConsent/
  - https://df00tech.com/detections/THREAT-M365-SuspiciousOAuthConsent
author: df00tech
date: 2026/04/27
tags:
  - attack.threat-m365-suspiciousoauthconsent
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators deploying approved third-party Microsoft 365 integrations (Slack, Zoom, Adobe, DocuSign) and granting required permissions"
  - Users adding approved productivity apps from Microsoft AppSource that request standard permissions
  - "Microsoft-published applications (Power Automate, Power BI) requesting permissions during initial setup"
  - Internal developers registering apps for legitimate automation workflows
level: high