Over the past two years, nation-state attacks using OAuth apps have surged. To combat this threat and to help customers focus on the most important exposure points, Microsoft Defender for Cloud Apps introduces several new capabilities. OAuth applications are now integrated into the attack path experience within Exposure Management, providing an overview of the attack paths that a bad actor might take to access Microsoft 365 SaaS apps like Outlook and Teams. Additionally, a unified application inventory allows customers to manage both user-to-SaaS and OAuth-to-SaaS interactions with an 'action center' so that they can block or disable apps and create policies aligned to exposure points. Lastly, information about OAuth applications is now included in the Attack Surface Map and Advanced Hunting experience for comprehensive threat investigation and more effective threat hunting.
OAuth Apps Pose Critical Security Threat
The rise in nation-state attacks exploiting OAuth apps poses a significant threat to organizations. Protecting your SaaS apps from OAuth interactions is critical, as attackers can easily compromise your network. For example, a phishing link that impersonates a legitimate application can deceive users into granting malicious apps full access to their account. Once the user clicks “Accept,” the attacker gains full access to the organization's email, chats and files.
Figure 1. Phishing link with permission request.
Microsoft's research shows that 1 in 3 OAuth apps are overprivileged1 making them prime targets for threat actors. Attackers often use phishing to compromise accounts, create malicious OAuth apps, or hijack existing ones leading to unauthorized access and causing data breaches. It's a frightening scenario, but one that can be prevented with the right tools and strategies. Learn more: investigate and remediate risky OAuth apps.
Visualize Attack Paths
We are excited to announce that Microsoft Defender for Cloud Apps has significantly enhanced the Exposure Management experience by integrating OAuth applications. The new attack path feature enables you to visualize how attackers could use OAuth apps to move laterally within your organization to access critical SaaS applications. By identifying, reducing, and managing the number of attack paths, you can significantly reduce your attack surface and enhance the security of your M365 services. Learn more: Explore with the attack surface map in Microsoft Security Exposure Management - Microsoft Security Exposure Management | Microsoft Learn
Figure 2. Attack path shows lateral movement to service principal with sensitive permissions.
Manage your SaaS Ecosystem
The new “Applications” page in the Defender XDR portal offers comprehensive visibility and control over your SaaS and OAuth applications. This page provides a unified view to discover and manage all your SaaS and OAuth applications connected to services like Microsoft 365, Google, and Salesforce. With actionable insights, you can identify and prioritize applications that need your attention.
The new application inventory experience allows you to easily explore metadata and insights for OAuth apps involved in attack paths or review apps as part of your periodic app review process. For example, you can identify applications with unused permissions to access Microsoft 365 by using the pre-defined insight card for “Overprivileged apps,” which automatically applies the relevant filters to display all overprivileged applications within your environment.
Figure 3. OAuth apps in the Applications page of the Defender XDR portal.
Investigate with Attack Surface Map and Advanced Hunting
The Attack Surface Map allows customers to visualize the organizational connection to OAuth applications, including those who own the app and the permission levels.
Figure 4. The user Shkedi is the owner of the MdaXspmSensitive OAuth app.
All the data available in the Attack surface map is also available in advanced hunting under the Exposure Management section. Additionally, you can get detailed metadata and comprehensive insights for all applications in the new OAuthAppInfo table in advanced hunting powered by the app governance capability in Microsoft Defender for Cloud Apps. These are the same apps that are displayed on the OAuth apps tab of the applications page. Currently, the scope of the table is limited to Microsoft Entra registered apps with access to Microsoft 365. With this new table, you can write powerful queries for advanced scenarios or leverage the suggested queries to explore and hunt for privileged apps. Learn more: Investigate OAuth application attack paths in Defender for Cloud Apps - Microsoft Defender for Cloud Apps | Microsoft Learn
Automatic Attack Disruption
Recently we introduced automatic attack disruption capabilities that proactively disrupt malicious OAuth applications involved in active attacks, effectively stopping threats in their tracks. By onboarding Microsoft Defender for Cloud Apps, you can effortlessly thwart these attacks ensuring your organization's security remains robust and resilient.
Act Today!
Protect your organization from OAuth-related attacks with Microsoft Defender for Cloud Apps. Use its powerful capabilities to visualize, investigate, and remediate potential threats to safeguard your Microsoft 365 services and secure your valuable data. Start by filtering all attack paths leading to service principals with sensitive permissions to Microsoft 365 SaaS services and continue with your investigation from there.
Figure 5. Attack paths show lateral movement to service principal with sensitive permissions.
Alternatively, if your environment has numerous attack paths, start with the choke points experience to identify assets that are frequently involved in attacks. Then, apply the principle of least privilege to secure these critical assets.
Figure 6. OAuth app choke points.
Then you can further explore the interconnections of the attack paths or the choke points in the attack surface map:
Figure 7. OAuth node in attack surface map.
Note that everything which is available in the Attack surface map is also available in Advanced Hunting under ExposureGraphEdges and ExposureGraphNodes. You can also use the App inventory to explore specific OAuth applications and get detailed insights into API permissions, privilege level, app origin, publisher, permission type and services being accessed. Access it by selecting "Applications" under the "Assets" tab in the Defender XDR portal:
Figure 8. App inventory shows in-depth visibility for OAuth app integrations.
Lastly, you can hunt for risky OAuth apps. To get started, use the template below to identify all enabled, highly privileged, externally registered OAuth apps that have no verified publisher:
OAuthAppInfo
| where AppStatus == "Enabled"
| where PrivilegeLevel == "High"
| where VerifiedPublisher == "{}" and AppOrigin == “External”
Figure 9. OAuth app threat hunting template.
Prerequisites
To access these new capabilities requires Microsoft Defender for Cloud apps license, activate Microsoft 365 app connector and enable app governance.
To access all Exposure Management experiences, we recommend the following roles:
- Unified RBAC role: “Exposure Management (read)” under “Security posture” category
- Any of the Entra ID roles: Global admin, Security admin, Security operator, Global reader, Security reader
Conclusion
Integrating OAuth applications into Microsoft Security Exposure Management is crucial for addressing OAuth-based attacks. This integration provides a comprehensive view of potential attack paths and exposure points, enabling security teams to reduce the attack surface and mitigate risks effectively. Microsoft Defender for Cloud Apps helps visualize and prevent exploits targeting critical resources. The unified application inventory streamlines management of OAuth and user-to-SaaS interactions, while Advanced Hunting facilitates investigations. Stay ahead of threats and protect your assets with Microsoft Defender for Cloud Apps.
1. Microsoft sample data, Nov 2024
Microsoft