Over the past year, there has been a significant increase in nation-state attacks leveraging OAuth apps. Automatic disruption in Microsoft Defender XDR leverages AI and machine learning for real-time threat mitigation of suspicious OAuth activities. The speed and accuracy of automatic disruption helps to stop sophisticated attacks that are in progress and limit lateral movement and damage.
In today’s digital landscape, SaaS and OAuth applications have revolutionized the way we work, collaborate, and innovate. However, they also introduce significant risks related to security, privacy and compliance. As the SaaS landscape grows, IT leaders must balance enabling productivity with managing risk. A key to managing risk is automated tools that provide real-time context and remediation capabilities to help Security Operations Center (SOC) teams outpace sophisticated attackers and limit lateral movement and damage.
The Rise of OAuth App Attacks
Over the past two years, there has been a significant increase in OAuth app attacks. Employees often create app-to-app connections without considering security risks. With just one click granting permissions, new apps can read and write emails, set rules, and gain authorization to perform nearly any action. These overprivileged apps are more at risk for compromise, and Microsoft internal research shows that 1 in 3 OAuth apps are overprivileged. 1 A common attack involves using phishing to compromise a user account, then creating a malicious OAuth app with elevated privileges or hijacking an existing OAuth app and manipulating it for malicious use. Once threat actors gain persistence in the environment, they can also deploy virtual machines or run spam campaigns resulting in data breaches, financial and reputational losses.
Automatic Attack Disruption
Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. This built-in, self-defense capability uses the correlated signals in XDR, the latest threat intelligence, and AI and machine learning backed models to accurately predict the attack path used and block an attacker’s next move before it happens with above 99% confidence. This includes response actions such as containing devices, disabling user accounts, or disabling malicious OAuth apps.
The benefits of attack disruption include:
- Speed of response: attack disruption can disrupt attacks like ransomware in an average time of 3 minutes
- Reduced Impact of Attacks: by minimizing the time attackers have to cause damage, attack disruption limits the lateral movement of threat actors within your network, reducing the overall impact of the threat. This means less downtime, fewer compromised systems, and lower recovery costs.
- Enhanced Security Operations: attack disruption allows security operations teams to focus on investigating and remediating other potential threats, improving their efficiency and overall effectiveness.
Real-World Attacks
Microsoft Threat Intelligence has noted a significant increase in OAuth app attacks over the past two years. In most cases a compromised user provides the attacker initial access, while the malicious activities and persistence are carried out using OAuth applications. Here’s a real-world example of an OAuth phishing campaign that we’ve seen across many customers’ environments. Previous methods to resolve this type of attack would have taken hours for SOC teams to manually hunt and resolve.
Initial Access: A user received an email that looks legitimate but contains a phishing link that redirects to an adversary-in-the-middle (AiTM) phishing kit.
Figure 1. An example of an AiTM controlled proxy that impersonates a login page to steal credentials.
Credential Access: When the user clicks on that link, they are redirected to an AiTM controlled proxy that impersonates a login page to steal the user credentials and an access token which grants the attacker the ability to create or modify OAuth apps.
Persistence and Defense Evasion: The attacker created multiple ma malicious OAuth apps across various tenants which grants read and write access to the user’s e-mail, files and other resources. Next the attacker created an inbox forwarding rule to exfiltrate emails. An additional rule was created to empty the sent box, thus deleting any evidence that the user was compromised. Most organizations are completely blind-sighted when this happens.
Automatic Attack Disruption: Defender XDR gains insights from many different sources including endpoints, identities, email, collaboration tools, and SaaS apps and correlates the signals into a single, high-confidence incident. In this attack, XDR identifies assets controlled by the attacker and it automatically takes response actions across relevant Microsoft Defender products disable affected assets and stop the attack in real-time.
SOC Remediation: After the risk is mitigated, Microsoft Defender admins can manually unlock the users that had been automatically locked by the attack disruption response. The ability to manually unlock users is available from the Microsoft Defender action center, and only for users that were locked by attack disruption.
Figure 2. Timeline to disrupt an OAuth attack comparing manual intervention vs. automatic attack disruption.
Enhanced Security with Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps enables the necessary integration and monitoring capabilities required to detect and disrupt malicious OAuth applications. To ensure SOC teams have full control, they can configure automatic attack disruption and easily revert any action from the security portal.
Figure 3. An example of a contained malicious OAuth application, with attack disruption tag
Conclusion
Microsoft Defender XDR's automatic disruption capability leverages AI and machine learning for real-time threat mitigation and enhanced security operations. Want to learn more about how Defender for Cloud Apps can help you manage OAuth attacks and SaaS-based threats? Dive into our resources for a deeper conversation. Get started now.
Get started
- Make sure your organization fulfils the Microsoft Defender pre-requisites (Mandatory).
- Connect “Microsoft 365 connector” in Microsoft Defender for Cloud Apps (Mandatory).
- Check out our documentation to learn more about Microsoft 365 Defender attack disruption prerequisites, available controls, and indications.
- Learn more about other scenarios supported by automatic attack disruption
- Not a customer, yet? Start a free trial today.
1Microsoft Internal Research, May 2024, N=502
Microsoft