User app registration - exploitable for BEC?

Hello. Recently dealt with a case of BEC. I'm not trained in forensics, but doing my best. Appears the hacker used an application called eM Client for their attack, getting access to a user's mailbox...

cloud security

email security

Fraud Protection

identity and access management

Log Analytics

microsoft 365

microsoft 365 defender

Microsoft Secure Score

threat protection

Matthew Levy

MVP

Jan 10, 2025

Hi underQualifried
Firstly, well done on what you have done so far in your investigations, it's not easy and as an Admin, you have to embark on a massive learning journey to understand what is possible in Entra ID before you can understand the risks and how to mitigate them.

With that said, you do most definitely want to restrict what standard users can do with regards to application registrations, and consenting to permissions for enterprise apps that request access. Some admins go so far as to block user consent altogether as well as blocking app registration.

Because this is a common concern for Microsoft 365 tenant admins at the moment due to recent attacks like Midnight Blizzard, I wrote a two-part blog to help admins that are not app developers understand the risks and I made some recommendations. Check it out:

Part 1: Entra ID Application consent - what identity admins need to know

Part 2: Entra ID Application consent - recommendations

Hope this helps

Matt

underQualifried

Brass Contributor

Jan 13, 2025

Thanks so much Matt, very helpful. When things calm down a bit, I will be sure to read (esp as the user above recommended your posts!)

Forum Discussion

User app registration - exploitable for BEC?

Resources