Query Details

MDO — Illicit OAuth App Consent (Consent Phishing)

MDO AR 05 Illicit O Auth Consent

Query

CloudAppEvents
| where Timestamp > ago(1h)
| where ActionType in ("Consent to application", "Add delegated permission grant")
| extend AppName = tostring(RawEventData.ObjectName)
| project Timestamp, ReportId, AccountObjectId, AccountDisplayName, ActionType, AppName,
          IPAddress, IsAdminOperation, UserAgent

Explanation

This query is designed to detect potential security threats related to OAuth app consent, specifically focusing on consent phishing or illicit-grant attacks. Here's a simplified breakdown:

  1. Purpose: The query identifies when a user grants delegated consent to an OAuth application. This action can be exploited by attackers to gain persistent access to a user's email and files.

  2. Severity: The alert generated by this query is marked as "High" due to the potential security risk.

  3. Data Source: It uses data from Microsoft Threat Protection, specifically looking at "CloudAppEvents".

  4. Frequency: The query runs every hour and checks for events that occurred in the past hour.

  5. Detection Logic:

    • It filters events where the action type is either "Consent to application" or "Add delegated permission grant".
    • It extracts details like the application name, user information, IP address, and whether the action was an admin operation.
  6. Alert Details:

    • If such an event is detected, an alert is generated with details about the user who granted consent, the application involved, and the IP address from which the action was performed.
    • The alert suggests reviewing the app, publisher, and permissions granted, and revoking access if the consent appears to be part of a phishing attack.
  7. Incident Management:

    • The query is configured to create an incident for each alert.
    • Incidents can be grouped by user accounts to manage related alerts together.
  8. MITRE ATT&CK Framework: The query is associated with techniques T1528 (Steal Application Access Token) and T1566 (Phishing), indicating its relevance to credential and initial access tactics.

Overall, this query helps security teams monitor and respond to unauthorized OAuth consent activities, which could indicate a phishing attack aimed at gaining unauthorized access to sensitive information.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

CloudAppEvents

Keywords

CloudAppEventsOAuthApplicationConsentAccountIPAddressAdminOperationUserAgent

Operators

CloudAppEventswhereagoinextendtostringproject

Severity

High

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub