App Attacks: The Growing Danger of App Consent Misuse in the Cloud
The ZeroFox Digital Forensics and Incident Response (DFIR) team works to identify, investigate, and remediate cyber attacks that occur within information systems and networks. Recently, our team has observed threat actors taking advantage of a commonly overlooked Microsoft 365 (M365) security setting related to third-party application consent. This security setting can be exploited by threat actors to use legitimate applications in malicious ways. And it highlights the importance of robust security configurations in cloud environments. Notably, this technique has been linked to an incident involving Midnight Blizzard/APT 29.
Compromised Accounts and Malicious Application Use
After taking over a M365 account through social engineering techniques such as phishing, compromised credentials, or malware, threat actors will install applications such as PerfectData Software and eM Client. These applications, while legitimate, can be weaponized to facilitate data exfiltration and maintain persistence access to accounts beyond a password reset.
The root of the security issue lies in the user consent setting for applications in Microsoft 365. By default, users are often allowed to grant consent to third-party applications, which can provide these applications with access to organizational data. The setting, while convenient for users, can be a significant security risk if not properly managed.
ZeroFox Case Study: PerfectData Software
Taking a further look at a case involving PerfectData Software, ZeroFox identified the application being added with a service principal and permissions that allowed for email access and offline storage for two compromised user accounts.
The PerfectData Software app was identified as having the following permissions:
- “EWS.AccessAsUser.All” - grants the app full mailbox access for the signed-in user through Exchange Web Services.
- “openid” - allows an app to securely sign-in users and obtain an identity token for authentication.
- “offline_access” - gives the app extended access on behalf of the user without requiring further user intervention.
Recreating the Scenario
To understand the threat further, ZeroFox downloaded and installed PerfectData Software to see what logs are generated by the application and mailbox synchronization (same Application ID as identified during the incident).
Once installed, we selected Office 365 and entered the email for a test account:
After entering our test credential, we received an application permission prompt:
After clicking accept, we were given an option to export Microsoft 365 content (email, calendar, and contacts) and the mailbox was successfully exported to a PST file:
The test user’s unified audit log was collected for analysis. ZeroFox identified the application consent and permissions granted, but did not identify evidence of settings used during mailbox synchronization or that mailbox synchronization had occurred based on the available data. There additionally is not a direct way to view detailed activity logs for specific Azure Enterprise Applications within M365.
Why is this important?
The “offline_access” permission allows threat actors to retain access to the application and mailbox even if they no longer control the account. During a business email compromise investigation, identifying data exfiltration is crucial to assist legal counsel in advising affected parties. Synchronization events can indicate that the full mailbox may have been exposed, necessitating additional activities to take place related to data mining and notifications in order to meet data privacy requirements.
ZeroFox Response Recommendations
- Disable Unauthorized Apps: Do not delete unauthorized third-party apps identified in your tenant. Deleting the application reduces the amount of information you may be able to identify that will help in an investigation.
- Thorough Investigation: Conduct a thorough investigation into potential email compromises.
- Revoke Permissions: Revoke any OAuth tokens or permissions granted to unauthorized apps.
- Block App Reinstallation: Block the app's client ID to prevent its reinstallation.
- Limit User Consent: Configure Microsoft 365 to limit or disable users from being able to install third-party applications.
- Admin Approval for Apps: Require admin approval for any new application installations to ensure proper vetting before granting access.
- Regular Reviews: Regularly review and audit applications and permissions granted within your Microsoft 365 environment.
- User Training: Educate users on the risks associated with granting permissions to third-party applications, allowed applications for the organization, and the importance of following proper approval processes.
- Implement Consent Policies: Implement app consent policies that allow user consent for apps from verified publishers with low-impact permissions.
Need immediate help with a possible incident or breach?
The ZeroFox Incident Response team will help you quickly understand the nature of the attack and work with your team to contain and remediate the incident and return you to normal business operations.Talk to the ZeroFox Response team now.