Forum Discussion

Brass Contributor

Jan 08, 2025

User app registration - exploitable for BEC?

Hello. Recently dealt with a case of BEC. I'm not trained in forensics, but doing my best. Appears the hacker used an application called eM Client for their attack, getting access to a user's mailbox...

cloud security

email security

Fraud Protection

identity and access management

Log Analytics

microsoft 365

microsoft 365 defender

Microsoft Secure Score

threat protection

Louis_Mastelinck

Copper Contributor

Jan 10, 2025

Hi underQualifried ,

You've already identified the key elements based on your description. To store your sign-in logs, audit logs, and other data, you'll need to write them to a Log Analytics workspace, which functions similarly to a database. From your error, it seems you don't have an Azure subscription yet. An Azure subscription is required to create and manage Azure resources like virtual machines, Logic Apps, or App Services. These resources need to be associated with a subscription so Microsoft can handle billing.

No worries—setting up a Log Analytics workspace isn't costly, and it's definitely worth it for its robust investigation and monitoring capabilities.

For example, I usually retain the following logs for about six months for thorough analysis and tracking:

SignInLogs
AuditLogs
NonInteractiveUserSignInLogs
ServicePrincipalSignInLogs
ManagedIdentitySignInLogs
EnrichedOffice365AuditLog
MicrosoftGraphActivityLogs

If you want to see more evidence who changes your CA policies based on these log you could try the queries in this repo: https://github.com/LouisMastelinck/Monitor-security-policy-changes-or-admin-activities

An essential part of your forensics process will involve determining what actions this Enterprise Application performed. Depending on your licenses and whether you're tracking Office activity, you can use the following KQL query in Security.microsoft.com > Advanced Hunting:

CloudAppEvents
| where OAuthAppId == "" // Insert the App ID of the EIM client
| where ActionType == "MailItemsAccessed" // Look for the app accessing mail items, this can all other activities
| summarize RequestCount = count() by bin(Timestamp, 1d)
| order by Timestamp
| render timechart

This query will generate a chart showing how many emails the app accessed over time. If the app sent emails, you'll need to change the ActionType.

Another useful query to see which emails were accessed is:

CloudAppEvents
| where OAuthAppId == "this should be the app id of your eM Client"
| where ActionType == "MailItemsAccessed"
| extend AffectedMailbox = tostring(RawEventData.UserId)
| project-reorder AffectedMailbox

Root Cause
The root cause of your Business Email Compromise (BEC) seems to be application consent granted by end users, allowing external applications to access their accounts and data. The two blog posts by Matthew Levy are excellent resources for understanding how to prevent this.

underQualifried

Brass Contributor

Jan 13, 2025

Hi Louis, thanks so much for the detailed write-up! On further investigation and some collaborative forensics, we've built a pretty solid timeline. Will be checking those posts and implementing a policy going forward. Can you elaborate a bit on the Azure subscription though? We have Entra P1 (and now, P2) - and as I understood it, "Entra" was just the new name for Azure, and the Azure subscription is included within? Based on the docs, I'm wondering if the issue is that I'm global admin - and NOT security admin... Have seen other instances where this caused issues, like in Lighthouse. Can you advise - are you using a global admin, or security admin role? Do you have an Entra subscription, and a separate Azure subscription? MS licensing is... tough.

Louis_Mastelinck
Copper Contributor
Jan 20, 2025
Hi Hi underQualifried,
I'm glad you were able to conduct your investigation. Let me help clarify some points to help you better understand the difference between an Azure Subscription and Entra ID.
Entra ID (formerly Azure AD):
Simply put, when you create a cloud tenant with Microsoft, you automatically get an Entra ID instance. Entra ID is where you manage how users and applications authenticate to cloud applications. It handles things like MFA, conditional access, app registrations, user and guest accounts, groups, and more.
Azure Subscription:
Within your tenant you can have an Azure Subscription. This subscription is needed as it used by Microsoft to bill for you Azure resources you place on that subscription.
For example: If you create a virtual machine, this Azure resource will be placed on a Azure Subscription that exists inside of your tenant. Every month Microsoft will look how much resources you have, if you had them powered on or not, how much data you used,...
You might have an Azure subscription within your tenant, but it's possible that you don't have any privileges or access to it.

Permisisons wise: Entra ID & Azure subscription have each different permissions set. Meaning a security admin in Entra ID has no permissions on a Azure subscription or resource.

Maybe this page helps you more than my own 'simple' explanation: https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide

Why did I mention both Entra ID and Azure Subscription together?
The sign-in logs, audit logs, and other logs from Entra ID are only retained for 30 days in Entra ID. While it's possible to perform investigations through the portal, I recommend ingesting these logs into a Log Analytics workspace, which is a resource created within your Azure subscription. This approach allows you to decide how long to keep your logs and enables you to use KQL for analysis. This is beneficial not only for incident response and forensics but also for rolling out Conditional Access policies, creating workbooks, or meeting compliance requirements, especially when you need access to logs older than one month.