Query Details
O Auth App For BEC Phishing Detection
Query
// The new OAuthAppInfo table now included in DefenderXDR, enabling SecOps to monitor potential rogue OAuth app activity related to BEC and phishing threats. The custom hourly DefenderXDR detection outlined below ensures comprehensive detection coverage.
OAuthAppInfo
| where AddedOnTime > ago(1h)
| where AppOrigin == "External"
| where VerifiedPublisher == "{}"
| where Permissions has "mail.readwrite"
Explanation
This query is designed to help security operations teams monitor potentially malicious OAuth applications that could be involved in business email compromise (BEC) and phishing threats. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
OAuthAppInfotable, which is part of DefenderXDR, a security tool. -
Time Filter: It looks for OAuth applications that were added in the last hour (
AddedOnTime > ago(1h)). -
Origin Filter: It focuses on applications that originate from outside the organization (
AppOrigin == "External"). -
Publisher Verification: It checks for applications that do not have a verified publisher (
VerifiedPublisher == "{}"). -
Permissions Check: It specifically looks for applications that request the "mail.readwrite" permission, which could be used to access and modify email data.
Overall, this query helps identify potentially rogue OAuth applications that could pose a security risk by accessing and manipulating email data without proper verification or internal origin.
Details
Steven Lim
Released: April 11, 2025
Tables
Keywords
Operators