User app registration - exploitable for BEC?

Hello. Recently dealt with a case of BEC. I'm not trained in forensics, but doing my best. Appears the hacker used an application called eM Client for their attack, getting access to a user's mailbox...

cloud security

email security

Fraud Protection

identity and access management

Log Analytics

microsoft 365

microsoft 365 defender

Microsoft Secure Score

threat protection

underQualifried

Brass Contributor

Jan 13, 2025

Hi Louis, thanks so much for the detailed write-up! On further investigation and some collaborative forensics, we've built a pretty solid timeline. Will be checking those posts and implementing a policy going forward. Can you elaborate a bit on the Azure subscription though? We have Entra P1 (and now, P2) - and as I understood it, "Entra" was just the new name for Azure, and the Azure subscription is included within? Based on the docs, I'm wondering if the issue is that I'm global admin - and NOT security admin... Have seen other instances where this caused issues, like in Lighthouse. Can you advise - are you using a global admin, or security admin role? Do you have an Entra subscription, and a separate Azure subscription? MS licensing is... tough.

Louis_Mastelinck

Copper Contributor

Jan 20, 2025

Hi Hi underQualifried,

I'm glad you were able to conduct your investigation. Let me help clarify some points to help you better understand the difference between an Azure Subscription and Entra ID.

Entra ID (formerly Azure AD):
Simply put, when you create a cloud tenant with Microsoft, you automatically get an Entra ID instance. Entra ID is where you manage how users and applications authenticate to cloud applications. It handles things like MFA, conditional access, app registrations, user and guest accounts, groups, and more.

Azure Subscription:
Within your tenant you can have an Azure Subscription. This subscription is needed as it used by Microsoft to bill for you Azure resources you place on that subscription.
For example: If you create a virtual machine, this Azure resource will be placed on a Azure Subscription that exists inside of your tenant. Every month Microsoft will look how much resources you have, if you had them powered on or not, how much data you used,...
You might have an Azure subscription within your tenant, but it's possible that you don't have any privileges or access to it.

Permisisons wise: Entra ID & Azure subscription have each different permissions set. Meaning a security admin in Entra ID has no permissions on a Azure subscription or resource.

Maybe this page helps you more than my own 'simple' explanation: https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide

Why did I mention both Entra ID and Azure Subscription together?

The sign-in logs, audit logs, and other logs from Entra ID are only retained for 30 days in Entra ID. While it's possible to perform investigations through the portal, I recommend ingesting these logs into a Log Analytics workspace, which is a resource created within your Azure subscription. This approach allows you to decide how long to keep your logs and enables you to use KQL for analysis. This is beneficial not only for incident response and forensics but also for rolling out Conditional Access policies, creating workbooks, or meeting compliance requirements, especially when you need access to logs older than one month.

Forum Discussion

User app registration - exploitable for BEC?

Resources