Query Details

Suspicious O Auth Applications Used To Retrieve And Send Emails

Query

// Suspicious OAuth applications used to retrieve and send emails
// https://security.microsoft.com/threatanalytics3/ba008625-320a-4c71-b996-977049575144/analystreport

let MonitoredScope = dynamic(["Files.ReadWrite","IMAP.AccessAsUser.All","Mail.Read","Mail.ReadBasic","Mail.ReadWrite","Mail.Send","POP.AccessAsUser.All","SMTP.Send","User.Read"]);
OAuthAppInfo
| where AddedOnTime > ago(1h)
| where AppOrigin == "External"
| where VerifiedPublisher == "{}"
| where Permissions has_any(MonitoredScope)

Explanation

This query is designed to identify potentially suspicious OAuth applications that have recently been added and might be used to access or manipulate emails. Here's a simple breakdown of what the query does:

  1. Monitored Permissions: It defines a list of specific permissions related to email access and user data that are considered sensitive or potentially risky.

  2. Data Source: It looks at the OAuthAppInfo table, which contains information about OAuth applications.

  3. Time Filter: It filters for applications that were added within the last hour.

  4. Application Origin: It only considers applications that originate externally, meaning they are not from within the organization.

  5. Publisher Verification: It checks for applications that do not have a verified publisher, which could indicate a higher risk.

  6. Permission Check: Finally, it filters for applications that request any of the permissions from the predefined list, as these permissions could be used to read, write, or send emails.

Overall, the query aims to flag new, unverified external applications with certain permissions that could be used for malicious activities involving email access.

Details

Steven Lim profile picture

Steven Lim

Released: July 3, 2025

Tables

OAuthAppInfo

Keywords

OAuthApplicationsEmailsPermissions

Operators

letdynamicwhere>ago==has_any

Actions

GitHub