Query Details
Suspicious O Auth Applications Used To Retrieve And Send Emails
Query
// Suspicious OAuth applications used to retrieve and send emails
// https://security.microsoft.com/threatanalytics3/ba008625-320a-4c71-b996-977049575144/analystreport
let MonitoredScope = dynamic(["Files.ReadWrite","IMAP.AccessAsUser.All","Mail.Read","Mail.ReadBasic","Mail.ReadWrite","Mail.Send","POP.AccessAsUser.All","SMTP.Send","User.Read"])
OAuthAppInfo
| where AddedOnTime > ago(1h)
| where AppOrigin == "External"
| where VerifiedPublisher == "{}"
| where Permissions has_any(MonitoredScope)
Explanation
This query is designed to identify potentially suspicious OAuth applications that have been used to access and manipulate emails. Here's a simple breakdown of what it does:
-
Monitored Permissions: It defines a list of specific permissions related to email and file access that are considered sensitive or potentially risky. These include permissions like reading, writing, and sending emails, as well as accessing files.
-
Time Frame: The query looks for OAuth applications that were added within the last hour.
-
External Applications: It filters for applications that originate from outside the organization, indicating they are not internally developed or managed.
-
Unverified Publishers: It further narrows down to applications that do not have a verified publisher, which could imply a higher risk of being malicious or untrustworthy.
-
Permission Check: Finally, it checks if these external, unverified applications have any of the monitored permissions, which could allow them to read, write, or send emails, among other actions.
Overall, this query helps in identifying external applications with potentially risky permissions that were recently added and lack verification, which could pose a security threat.
Details
Steven Lim
Released: June 14, 2025
Tables
Keywords
Operators