[{"data":1,"prerenderedAt":2386},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/how-attackers-compromise-azure-organizations-through-saas-apps":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1665,"faqItemsCollection":1666,"faqTitle":62,"featured":6,"hashTags":62,"meta":1668,"metaTitle":1669,"ogImage":62,"publishedDate":1670,"relatedBlogPostsCollection":1671,"slug":2363,"stem":2364,"subtitle":62,"summary":2365,"synopsis":255,"sys":2376,"tagsCollection":2379,"__hash__":2385},"blog/blog/how-attackers-compromise-azure-organizations-through-saas-apps.json","How attackers compromise Azure organizations through SaaS apps ",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Johann Scheepers","Johann","Senior Security Engineer",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/75IEOH93vR0hbvxuqTu1m3/f6222745ee6892ea07bc18727a5a5ae7/T016S22KZ96-U02LU3SKC2D-e1e755770536-512.png",{"json":238,"links":1564},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,258,266,274,300,307,314,321,328,335,371,377,384,505,512,519,775,782,789,795,828,835,842,848,855,861,868,875,881,888,895,901,908,915,921,928,945,951,958,991,998,1018,1025,1032,1039,1045,1083,1103,1158,1165,1172,1192,1211,1218,1251,1257,1264,1271,1278,1285,1292,1299,1319,1325,1332,1351,1358,1365,1371,1378,1385,1391,1398,1444,1451,1457,1464,1470,1477,1484,1517,1524,1531,1538,1545,1552,1558],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","With the proliferation of SaaS apps and integrations comes an equal helping of uncertainty surrounding the associated security risks. If you’ve ever found yourself in a position where you’ve had to review a SaaS app integration, whether it’s during the remediation stage of an incident or simply during the process of tending to a user request, then keep on reading. ",[],{},{"nodeType":243,"data":252,"content":253},{},[254],{"nodeType":247,"value":255,"marks":256,"data":257},"This article covers common ways an app could lead to compromise in Microsoft Azure, and what to look out for when determining risk to your organization.",[],{},{"nodeType":259,"data":260,"content":261},"heading-1",{},[262],{"nodeType":247,"value":263,"marks":264,"data":265},"Consent phishing",[],{},{"nodeType":267,"data":268,"content":269},"heading-2",{},[270],{"nodeType":247,"value":271,"marks":272,"data":273},"The issue:",[],{},{"nodeType":243,"data":275,"content":276},{},[277,281,296],{"nodeType":247,"value":278,"marks":279,"data":280},"This method of compromising user accounts has been covered a ",[],{},{"nodeType":282,"data":283,"content":289},"entry-hyperlink",{"target":284},{"sys":285},{"id":286,"type":287,"linkType":288},"1bV8YTSQHvveCTnRc4H8su","Link","Entry",[290],{"nodeType":247,"value":291,"marks":292,"data":295},"few times",[293],{"type":294},"underline",{},{"nodeType":247,"value":297,"marks":298,"data":299}," by Push. Without rehashing too much of the content, the main idea behind consent phishing is to get a user to perform an integration while the app masquerades as something official. ",[],{},{"nodeType":243,"data":301,"content":302},{},[303],{"nodeType":247,"value":304,"marks":305,"data":306},"As an example, a user is sent an email where the content is either surprisingly legitimate, or sparks sufficient curiosity to make them want to access the data behind the link. They are directed to a Microsoft or Google login page, where the app asks for certain permissions, such as mailbox access. The user, having performed these actions before, thinks nothing of it and clicks ‘allow’. The attacker successfully tricked the user to give them access to their mailbox (or whichever privileges the app was requesting).",[],{},{"nodeType":308,"data":309,"content":313},"embedded-entry-block",{"target":310},{"sys":311},{"id":312,"type":287,"linkType":288},"2zeeE8NrgX4MnpHdIjszot",[],{"nodeType":267,"data":315,"content":316},{},[317],{"nodeType":247,"value":318,"marks":319,"data":320},"The solution:",[],{},{"nodeType":243,"data":322,"content":323},{},[324],{"nodeType":247,"value":325,"marks":326,"data":327},"There are two ways to help prevent this type of compromise:",[],{},{"nodeType":243,"data":329,"content":330},{},[331],{"nodeType":247,"value":332,"marks":333,"data":334},"The first is to go the “block everything” route by preventing any integrations from being added to your tenants at all. This is quite heavy-handed and a bit like throwing the baby out with the bathwater, as this approach leads to IT/security departments becoming known as the departments of ‘NO’, potentially resulting in users circumventing controls, and the emergence of shadow IT.",[],{},{"nodeType":243,"data":336,"content":337},{},[338,342,352,356,367],{"nodeType":247,"value":339,"marks":340,"data":341},"The second is to be sensible about what to allow and what to prevent during SaaS integrations. For instance, in Microsoft 365 administrators are able to ",[],{},{"nodeType":343,"data":344,"content":346},"hyperlink",{"uri":345},"https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications",[347],{"nodeType":247,"value":348,"marks":349,"data":351},"specify low-risk scopes",[350],{"type":294},{},{"nodeType":247,"value":353,"marks":354,"data":355},", such as ones specifically used for performing social logins (which are okay to do ",[],{},{"nodeType":282,"data":357,"content":361},{"target":358},{"sys":359},{"id":360,"type":287,"linkType":288},"68syxk4cmD6QOdVRcDqgEZ",[362],{"nodeType":247,"value":363,"marks":364,"data":366},"by the way",[365],{"type":294},{},{"nodeType":247,"value":368,"marks":369,"data":370},"). Admins can then allow employees to perform social logins, and integrate apps making use of other low-risk scopes from  verified apps only. Employees can also request access to anything requiring other scopes. This is a great way to enable users to perform their jobs, while preventing them from accidentally exposing themselves or the wider organization to unnecessary risk.",[],{},{"nodeType":308,"data":372,"content":376},{"target":373},{"sys":374},{"id":375,"type":287,"linkType":288},"44NsMwlLpX4qnZP94GyTSO",[],{"nodeType":243,"data":378,"content":379},{},[380],{"nodeType":247,"value":381,"marks":382,"data":383},"When configuring the above for the first time, Microsoft provides a list of 5 scopes:",[],{},{"nodeType":385,"data":386,"content":387},"table",{},[388,413,436,459,482],{"nodeType":389,"data":390,"content":391},"table-row",{},[392,403],{"nodeType":393,"data":394,"content":395},"table-cell",{},[396],{"nodeType":243,"data":397,"content":398},{},[399],{"nodeType":247,"value":400,"marks":401,"data":402},"profile",[],{},{"nodeType":393,"data":404,"content":405},{},[406],{"nodeType":243,"data":407,"content":408},{},[409],{"nodeType":247,"value":410,"marks":411,"data":412},"View user's basic profile",[],{},{"nodeType":389,"data":414,"content":415},{},[416,426],{"nodeType":393,"data":417,"content":418},{},[419],{"nodeType":243,"data":420,"content":421},{},[422],{"nodeType":247,"value":423,"marks":424,"data":425},"openid",[],{},{"nodeType":393,"data":427,"content":428},{},[429],{"nodeType":243,"data":430,"content":431},{},[432],{"nodeType":247,"value":433,"marks":434,"data":435},"Sign users in",[],{},{"nodeType":389,"data":437,"content":438},{},[439,449],{"nodeType":393,"data":440,"content":441},{},[442],{"nodeType":243,"data":443,"content":444},{},[445],{"nodeType":247,"value":446,"marks":447,"data":448},"email",[],{},{"nodeType":393,"data":450,"content":451},{},[452],{"nodeType":243,"data":453,"content":454},{},[455],{"nodeType":247,"value":456,"marks":457,"data":458},"View user's email address",[],{},{"nodeType":389,"data":460,"content":461},{},[462,472],{"nodeType":393,"data":463,"content":464},{},[465],{"nodeType":243,"data":466,"content":467},{},[468],{"nodeType":247,"value":469,"marks":470,"data":471},"User.Read",[],{},{"nodeType":393,"data":473,"content":474},{},[475],{"nodeType":243,"data":476,"content":477},{},[478],{"nodeType":247,"value":479,"marks":480,"data":481},"Sign in and read user profile",[],{},{"nodeType":389,"data":483,"content":484},{},[485,495],{"nodeType":393,"data":486,"content":487},{},[488],{"nodeType":243,"data":489,"content":490},{},[491],{"nodeType":247,"value":492,"marks":493,"data":494},"Offline_access",[],{},{"nodeType":393,"data":496,"content":497},{},[498],{"nodeType":243,"data":499,"content":500},{},[501],{"nodeType":247,"value":502,"marks":503,"data":504},"Maintain access to data you. have given it access to (refresh tokens)",[],{},{"nodeType":243,"data":506,"content":507},{},[508],{"nodeType":247,"value":509,"marks":510,"data":511},"The above scopes are the minimum required to enable social logins to take place, and would cover a good amount of apps that only require basic information for account creation purposes. ",[],{},{"nodeType":243,"data":513,"content":514},{},[515],{"nodeType":247,"value":516,"marks":517,"data":518},"If you’d like to go a step further, you should also consider approving the following to allow users to integrate these relatively common scopes from verified apps:",[],{},{"nodeType":385,"data":520,"content":521},{},[522,545,568,591,614,637,660,683,706,729,752],{"nodeType":389,"data":523,"content":524},{},[525,535],{"nodeType":393,"data":526,"content":527},{},[528],{"nodeType":243,"data":529,"content":530},{},[531],{"nodeType":247,"value":532,"marks":533,"data":534},"Calendars.Read",[],{},{"nodeType":393,"data":536,"content":537},{},[538],{"nodeType":243,"data":539,"content":540},{},[541],{"nodeType":247,"value":542,"marks":543,"data":544},"Read user calendars",[],{},{"nodeType":389,"data":546,"content":547},{},[548,558],{"nodeType":393,"data":549,"content":550},{},[551],{"nodeType":243,"data":552,"content":553},{},[554],{"nodeType":247,"value":555,"marks":556,"data":557},"Calendars.ReadWrite",[],{},{"nodeType":393,"data":559,"content":560},{},[561],{"nodeType":243,"data":562,"content":563},{},[564],{"nodeType":247,"value":565,"marks":566,"data":567},"Have full access to user calendars",[],{},{"nodeType":389,"data":569,"content":570},{},[571,581],{"nodeType":393,"data":572,"content":573},{},[574],{"nodeType":243,"data":575,"content":576},{},[577],{"nodeType":247,"value":578,"marks":579,"data":580},"Calendars.ReadWrite.Shared",[],{},{"nodeType":393,"data":582,"content":583},{},[584],{"nodeType":243,"data":585,"content":586},{},[587],{"nodeType":247,"value":588,"marks":589,"data":590},"Read and write user and shared calendars",[],{},{"nodeType":389,"data":592,"content":593},{},[594,604],{"nodeType":393,"data":595,"content":596},{},[597],{"nodeType":243,"data":598,"content":599},{},[600],{"nodeType":247,"value":601,"marks":602,"data":603},"Contacts.Read",[],{},{"nodeType":393,"data":605,"content":606},{},[607],{"nodeType":243,"data":608,"content":609},{},[610],{"nodeType":247,"value":611,"marks":612,"data":613},"Read user contacts",[],{},{"nodeType":389,"data":615,"content":616},{},[617,627],{"nodeType":393,"data":618,"content":619},{},[620],{"nodeType":243,"data":621,"content":622},{},[623],{"nodeType":247,"value":624,"marks":625,"data":626},"Contacts.Read.Shared",[],{},{"nodeType":393,"data":628,"content":629},{},[630],{"nodeType":243,"data":631,"content":632},{},[633],{"nodeType":247,"value":634,"marks":635,"data":636},"Read user and shared contacts",[],{},{"nodeType":389,"data":638,"content":639},{},[640,650],{"nodeType":393,"data":641,"content":642},{},[643],{"nodeType":243,"data":644,"content":645},{},[646],{"nodeType":247,"value":647,"marks":648,"data":649},"Contacts.ReadWrite",[],{},{"nodeType":393,"data":651,"content":652},{},[653],{"nodeType":243,"data":654,"content":655},{},[656],{"nodeType":247,"value":657,"marks":658,"data":659},"Have full access to user contacts",[],{},{"nodeType":389,"data":661,"content":662},{},[663,673],{"nodeType":393,"data":664,"content":665},{},[666],{"nodeType":243,"data":667,"content":668},{},[669],{"nodeType":247,"value":670,"marks":671,"data":672},"Contacts.ReadWrite.Shared",[],{},{"nodeType":393,"data":674,"content":675},{},[676],{"nodeType":243,"data":677,"content":678},{},[679],{"nodeType":247,"value":680,"marks":681,"data":682},"Read and write user and shared contacts",[],{},{"nodeType":389,"data":684,"content":685},{},[686,696],{"nodeType":393,"data":687,"content":688},{},[689],{"nodeType":243,"data":690,"content":691},{},[692],{"nodeType":247,"value":693,"marks":694,"data":695},"People.Read",[],{},{"nodeType":393,"data":697,"content":698},{},[699],{"nodeType":243,"data":700,"content":701},{},[702],{"nodeType":247,"value":703,"marks":704,"data":705},"Read users' relevant people lists",[],{},{"nodeType":389,"data":707,"content":708},{},[709,719],{"nodeType":393,"data":710,"content":711},{},[712],{"nodeType":243,"data":713,"content":714},{},[715],{"nodeType":247,"value":716,"marks":717,"data":718},"Files.Read.Selected",[],{},{"nodeType":393,"data":720,"content":721},{},[722],{"nodeType":243,"data":723,"content":724},{},[725],{"nodeType":247,"value":726,"marks":727,"data":728},"Read files that the user selects",[],{},{"nodeType":389,"data":730,"content":731},{},[732,742],{"nodeType":393,"data":733,"content":734},{},[735],{"nodeType":243,"data":736,"content":737},{},[738],{"nodeType":247,"value":739,"marks":740,"data":741},"Files.ReadWrite.Selected",[],{},{"nodeType":393,"data":743,"content":744},{},[745],{"nodeType":243,"data":746,"content":747},{},[748],{"nodeType":247,"value":749,"marks":750,"data":751},"Read and write files that the user selects",[],{},{"nodeType":389,"data":753,"content":754},{},[755,765],{"nodeType":393,"data":756,"content":757},{},[758],{"nodeType":243,"data":759,"content":760},{},[761],{"nodeType":247,"value":762,"marks":763,"data":764},"User.ReadWrite",[],{},{"nodeType":393,"data":766,"content":767},{},[768],{"nodeType":243,"data":769,"content":770},{},[771],{"nodeType":247,"value":772,"marks":773,"data":774},"Read and write access to user profile",[],{},{"nodeType":243,"data":776,"content":777},{},[778],{"nodeType":247,"value":779,"marks":780,"data":781},"We’ve determined these scopes to be relatively low-risk, but this would depend on the risk appetite of your organization. Pre-approving the scopes will go a long way towards enabling your users to make use of SaaS apps without raising unnecessary approval requests from your IT or security team.",[],{},{"nodeType":259,"data":783,"content":784},{},[785],{"nodeType":247,"value":786,"marks":787,"data":788},"Unverified apps",[],{},{"nodeType":267,"data":790,"content":791},{},[792],{"nodeType":247,"value":271,"marks":793,"data":794},[],{},{"nodeType":243,"data":796,"content":797},{},[798,802,811,815,824],{"nodeType":247,"value":799,"marks":800,"data":801},"First, let’s define what causes an app to be classified as unverified. When you see an app in your tenant that’s marked as unverified, it means that the tenant that publishes the app has not gone through the ",[],{},{"nodeType":343,"data":803,"content":805},{"uri":804},"https://learn.microsoft.com/en-gb/azure/active-directory/develop/publisher-verification-overview",[806],{"nodeType":247,"value":807,"marks":808,"data":810},"Publisher Verification",[809],{"type":294},{},{"nodeType":247,"value":812,"marks":813,"data":814}," process. Going through the verification process requires the publisher to have a Microsoft Partner Network (MPN) account, which typically involves ",[],{},{"nodeType":343,"data":816,"content":818},{"uri":817},"https://learn.microsoft.com/en-us/partner-center/verification-responses",[819],{"nodeType":247,"value":820,"marks":821,"data":823},"verifying",[822],{"type":294},{},{"nodeType":247,"value":825,"marks":826,"data":827}," their business address, email address, and a few additional due diligence tasks. ",[],{},{"nodeType":243,"data":829,"content":830},{},[831],{"nodeType":247,"value":832,"marks":833,"data":834},"While I’m sure this is not a 100% infallible process, at the very least it provides you with the confidence that someone at Microsoft had reached out to the company and spoken to someone who claims they are who they say they are. This is opposed to a random person creating a Microsoft Azure tenant and marking their app as being published by Adobe, as an example.",[],{},{"nodeType":243,"data":836,"content":837},{},[838],{"nodeType":247,"value":839,"marks":840,"data":841},"At Push, we’ve noticed plenty of unverified apps published by legitimate vendors. This could be related to vendors having multiple tenants, and not having completed the verification process across all yet. As an example, we have a few of Adobe’s apps for Microsoft 365:",[],{},{"nodeType":308,"data":843,"content":847},{"target":844},{"sys":845},{"id":846,"type":287,"linkType":288},"4eDWZKrMau1AfU4pXgOW42",[],{"nodeType":243,"data":849,"content":850},{},[851],{"nodeType":247,"value":852,"marks":853,"data":854},"In the above image, we have a verified app from Adobe, Inc. We know this due to the ‘Verified Publisher’ attribute that is included when parsing the information provided by Microsoft. We can also see that the only reply url is one associated directly with Adobe – adobe.com. Next, we have an unverified app:",[],{},{"nodeType":308,"data":856,"content":860},{"target":857},{"sys":858},{"id":859,"type":287,"linkType":288},"5e5RhdYiMh0Q3CZzmNoRDI",[],{"nodeType":243,"data":862,"content":863},{},[864],{"nodeType":247,"value":865,"marks":866,"data":867},"This app does not include the ‘verified publisher’ attribute when reading the information provided by Microsoft. However, the app only has one reply url, and this is again a subdomain of adobe.com.",[],{},{"nodeType":243,"data":869,"content":870},{},[871],{"nodeType":247,"value":872,"marks":873,"data":874},"The takeaway here is that not all unverified apps are malicious. More often than not it’s related to the vendor not having gone through the verification process, but this means it unfortunately becomes the security team’s burden to figure out.",[],{},{"nodeType":267,"data":876,"content":877},{},[878],{"nodeType":247,"value":318,"marks":879,"data":880},[],{},{"nodeType":243,"data":882,"content":883},{},[884],{"nodeType":247,"value":885,"marks":886,"data":887},"At Push, we attempt to review every application we come across to determine if it's legit and whether it belongs to the vendor it claims to originate from. There are multiple ways to do this, but as a general rule of thumb if all the app’s reply urls are associated with the vendor, you are good. You can perform an integration from the app’s website to verify that the particular app ID (seen in the metadata tag above) is the one you are looking at in your environment.",[],{},{"nodeType":259,"data":889,"content":890},{},[891],{"nodeType":247,"value":892,"marks":893,"data":894},"Apps with excessive privileges",[],{},{"nodeType":267,"data":896,"content":897},{},[898],{"nodeType":247,"value":271,"marks":899,"data":900},[],{},{"nodeType":243,"data":902,"content":903},{},[904],{"nodeType":247,"value":905,"marks":906,"data":907},"When you first start doing deep dives on permissions associated with apps in your environment, you find yourself looking at some apps and wonder out loud “we’re granting this vendor access to what?!",[],{},{"nodeType":243,"data":909,"content":910},{},[911],{"nodeType":247,"value":912,"marks":913,"data":914},"It’s a totally normal response, but don't worry, we’re here to help. Let’s take diagrams.net as an example:",[],{},{"nodeType":308,"data":916,"content":920},{"target":917},{"sys":918},{"id":919,"type":287,"linkType":288},"7DcPUSZ0nDYKmIy4E9xEHs",[],{"nodeType":243,"data":922,"content":923},{},[924],{"nodeType":247,"value":925,"marks":926,"data":927},"At first glance this doesn’t seem too bad. For the purposes of this example, let’s say the app was approved by 49 users. That means if diagrams.net got compromised, an attacker would potentially have access to 49 of your user’s OneDrive files. “That’s OK!” you say. “This will only affect a handful of files they’ve been working on locally. Our policy specifies that any company data, specifically data containing PII, be stored in SharePoint.”",[],{},{"nodeType":243,"data":929,"content":930},{},[931,935,941],{"nodeType":247,"value":932,"marks":933,"data":934},"And then comes the part where you notice the following permission: ",[],{},{"nodeType":247,"value":936,"marks":937,"data":940},"Sites.Read.All",[938],{"type":939},"italic",{},{"nodeType":247,"value":942,"marks":943,"data":944},". This permission gives the application the ability to read every file across all SharePoint sites in your organization (that the users have permission to access.) Suddenly the scope of data access is much larger than you hoped.",[],{},{"nodeType":267,"data":946,"content":947},{},[948],{"nodeType":247,"value":318,"marks":949,"data":950},[],{},{"nodeType":243,"data":952,"content":953},{},[954],{"nodeType":247,"value":955,"marks":956,"data":957},"When faced with the dilemma of granting apps access to resources within your organization, the best course of action is to do a risk assessment.",[],{},{"nodeType":243,"data":959,"content":960},{},[961,965,974,978,987],{"nodeType":247,"value":962,"marks":963,"data":964},"This requires some good ol’ googling and reviewing the security policies of the app’s creator. You ideally also want to know who they use to process your data. Through this process, I found a ",[],{},{"nodeType":343,"data":966,"content":968},{"uri":967},"https://www.diagrams.net/blog/data-protection",[969],{"nodeType":247,"value":970,"marks":971,"data":973},"blog post",[972],{"type":294},{},{"nodeType":247,"value":975,"marks":976,"data":977}," on diagrams.net detailing their approach to security and user privacy. They do make note that they don’t ",[],{},{"nodeType":343,"data":979,"content":981},{"uri":980},"https://www.diagrams.net/blog/data-protection#:~:text=Because%20your%20sensitive%20diagram%20data%20doesn%E2%80%99t%20leave%20your%20infrastructure%20and%20is%20never%20stored%20on%20the%20diagrams.net%20servers%2C%20diagrams.net%20is%20a%20tool%20which%20lets%20you%20comply%20with%20data%20protection%20certifications%20(ISO%2027000%2C%2027001%20and%2027002)%20and%20the%20GDPR.",[982],{"nodeType":247,"value":983,"marks":984,"data":986},"store any sensitive customer data data on their servers",[985],{"type":294},{},{"nodeType":247,"value":988,"marks":989,"data":990},", and thus let you comply with GDPR, ISO 2700* etc. certifications if you use their services.",[],{},{"nodeType":243,"data":992,"content":993},{},[994],{"nodeType":247,"value":995,"marks":996,"data":997},"While this is great from a tick box exercise perspective, this doesn’t address the original concern – how much risk are you taking on by letting their app integrate with your environment? What could an attacker who compromises diagrams.net have access to and how do you lessen the risk while still allowing employees to use the app?",[],{},{"nodeType":243,"data":999,"content":1000},{},[1001,1005,1014],{"nodeType":247,"value":1002,"marks":1003,"data":1004},"Further in the same blog post, they link to a GitHub ",[],{},{"nodeType":343,"data":1006,"content":1008},{"uri":1007},"https://github.com/jgraph/security-privacy-legal",[1009],{"nodeType":247,"value":1010,"marks":1011,"data":1013},"repository",[1012],{"type":294},{},{"nodeType":247,"value":1015,"marks":1016,"data":1017}," that contains their security and privacy processes, policies, and even some pentest reports. They do a great job of including this information, by the way, so cheers to diagrams.net!",[],{},{"nodeType":243,"data":1019,"content":1020},{},[1021],{"nodeType":247,"value":1022,"marks":1023,"data":1024},"At this point you should have a better understanding of the security of the vendor you’re integrating into your organization, and whether it’s okay to accept the risk. Documenting and adding the information you found to your risk register is also a good idea. Likely, you’ll be taking this information to your Information Security Manager for risk acceptance. ",[],{},{"nodeType":243,"data":1026,"content":1027},{},[1028],{"nodeType":247,"value":1029,"marks":1030,"data":1031},"We’re working on ways to provide this information to our clients through the Push app dashboard in future, too. Sign up or subscribe to our blog to get product updates when features like this are introduced. ",[],{},{"nodeType":259,"data":1033,"content":1034},{},[1035],{"nodeType":247,"value":1036,"marks":1037,"data":1038},"Hijackable urls and implicit grant flow",[],{},{"nodeType":267,"data":1040,"content":1041},{},[1042],{"nodeType":247,"value":271,"marks":1043,"data":1044},[],{},{"nodeType":243,"data":1046,"content":1047},{},[1048,1053,1063,1068,1078],{"nodeType":247,"value":1049,"marks":1050,"data":1052},"Developer side note: The implicit grant flow is no longer recommended due to security-related concerns and that it won’t function where ",[1051],{"type":939},{},{"nodeType":343,"data":1054,"content":1056},{"uri":1055},"https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#:~:text=Many%20browsers%20block%20third%2Dparty%20cookies%2C%20cookies%20on%20requests%20to%20domains%20other%20than%20the%20domain%20shown%20in%20the%20browser%27s%20address%20bar.%20This%20block%20breaks%20the%20implicit%20flow%20and%20requires%20new%20authentication%20patterns%20to%20successfully%20sign%20in%20users.",[1057],{"nodeType":247,"value":1058,"marks":1059,"data":1062},"3rd party cookies are blocked in browsers",[1060,1061],{"type":294},{"type":939},{},{"nodeType":247,"value":1064,"marks":1065,"data":1067},". Instead, you should switch to using the ",[1066],{"type":939},{},{"nodeType":343,"data":1069,"content":1071},{"uri":1070},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow",[1072],{"nodeType":247,"value":1073,"marks":1074,"data":1077},"authorization code flow",[1075,1076],{"type":294},{"type":939},{},{"nodeType":247,"value":1079,"marks":1080,"data":1082}," if applicable to your requirements.",[1081],{"type":939},{},{"nodeType":243,"data":1084,"content":1085},{},[1086,1090,1099],{"nodeType":247,"value":1087,"marks":1088,"data":1089},"Let’s quickly go over how OAuth2’s implicit grant flow works so you can better understand how to spot potentially risky apps and integrations, and why this can result in a security concern. Microsoft provides a great ",[],{},{"nodeType":343,"data":1091,"content":1093},{"uri":1092},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow",[1094],{"nodeType":247,"value":1095,"marks":1096,"data":1098},"breakdown",[1097],{"type":294},{},{"nodeType":247,"value":1100,"marks":1101,"data":1102}," of the implicit grant flow, however for the purposes of brevity (and simplicity), it does the following:",[],{},{"nodeType":1104,"data":1105,"content":1106},"ordered-list",{},[1107,1118,1128,1138,1148],{"nodeType":1108,"data":1109,"content":1110},"list-item",{},[1111],{"nodeType":243,"data":1112,"content":1113},{},[1114],{"nodeType":247,"value":1115,"marks":1116,"data":1117},"A user goes to a web app and clicks a login link",[],{},{"nodeType":1108,"data":1119,"content":1120},{},[1121],{"nodeType":243,"data":1122,"content":1123},{},[1124],{"nodeType":247,"value":1125,"marks":1126,"data":1127},"The web app redirects the user to authenticate and authorize the app. This is performed against your identity provider (in this example, Microsoft)",[],{},{"nodeType":1108,"data":1129,"content":1130},{},[1131],{"nodeType":243,"data":1132,"content":1133},{},[1134],{"nodeType":247,"value":1135,"marks":1136,"data":1137},"If this is the first time authorizing the app, the user is presented with a list of scopes (permissions) the app will need access to, and the user clicks “approve”",[],{},{"nodeType":1108,"data":1139,"content":1140},{},[1141],{"nodeType":243,"data":1142,"content":1143},{},[1144],{"nodeType":247,"value":1145,"marks":1146,"data":1147},"This responds with a token to one of the hard-coded reply urls associated with the app integration (e.g. https://apps.diagrams.net/microsoft as with the ‘Apps with excessive privileges’ example)",[],{},{"nodeType":1108,"data":1149,"content":1150},{},[1151],{"nodeType":243,"data":1152,"content":1153},{},[1154],{"nodeType":247,"value":1155,"marks":1156,"data":1157},"The app uses the token to access the user’s resources with the permissions approved in step 3",[],{},{"nodeType":243,"data":1159,"content":1160},{},[1161],{"nodeType":247,"value":1162,"marks":1163,"data":1164},"Based on the flow above, if an attacker gets their hands on the token from step 4, they can perform requests as the user, granting them access to your resources. To get the token, you need to control one of the hardcoded reply url endpoints, and convince a user to authenticate to the app – perhaps via a phishing attack.",[],{},{"nodeType":243,"data":1166,"content":1167},{},[1168],{"nodeType":247,"value":1169,"marks":1170,"data":1171},"As an example, some of the apps we’ve reviewed contained reply urls which were subdomains of azurewebsites.net and ngrok.io. These urls don’t appear problematic at first. However, the urls could have been used during the development process, and were forgotten about at the conclusion of the project. During the review process we follow at Push, we found multiple examples of such urls that were no longer in use.",[],{},{"nodeType":243,"data":1173,"content":1174},{},[1175,1179,1188],{"nodeType":247,"value":1176,"marks":1177,"data":1178},"This could allow an attacker to register the urls and perform phishing attacks against organizations that use these particular apps, granting the attacker access to previously- approved scopes and resources. The outcome of this attack would be similar to ",[],{},{"nodeType":343,"data":1180,"content":1182},{"uri":1181},"https://www.oauth.com/oauth2-servers/authorization/security-considerations/#:~:text=Redirect%20URL%20Manipulation",[1183],{"nodeType":247,"value":1184,"marks":1185,"data":1187},"redirect URL manipulation",[1186],{"type":294},{},{"nodeType":247,"value":1189,"marks":1190,"data":1191},", but instead of taking advantage of an open or misconfigured redirect, the attacker is in control of the endpoint where the token ends up.",[],{},{"nodeType":243,"data":1193,"content":1194},{},[1195,1199,1207],{"nodeType":247,"value":1196,"marks":1197,"data":1198},"How would you even go about detecting if an app makes use of the implicit grant flow? This requires getting your hands dirty with making authorization requests to your tenant for the specific app ID, and passing the “response_type=token” parameter in the url. This should return an error if the app is not configured with the implicit grant flow. If you’d like to test this yourself, you can follow the “Run in Postman” link at the top of ",[],{},{"nodeType":343,"data":1200,"content":1201},{"uri":1092},[1202],{"nodeType":247,"value":1203,"marks":1204,"data":1206},"this article",[1205],{"type":294},{},{"nodeType":247,"value":1208,"marks":1209,"data":1210}," to make this process a bit easier.",[],{},{"nodeType":243,"data":1212,"content":1213},{},[1214],{"nodeType":247,"value":1215,"marks":1216,"data":1217},"Another example of a hijackable url includes dangling DNS records. Let’s say your app includes a reply url pointing to a legacy server used for development (eg. apptesting-dev.ctrlaltsecure.com). This server was hosted on an EC2 instance in AWS, and has long since been decommissioned. However, the IP address associated with the instance is still pointing to the same address. A determined attacker could potentially gain access to the IP address by spinning up resources until it’s assigned to them.",[],{},{"nodeType":243,"data":1219,"content":1220},{},[1221,1225,1234,1238,1247],{"nodeType":247,"value":1222,"marks":1223,"data":1224},"OWASP has ",[],{},{"nodeType":343,"data":1226,"content":1228},{"uri":1227},"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover",[1229],{"nodeType":247,"value":1230,"marks":1231,"data":1233},"published an article",[1232],{"type":294},{},{"nodeType":247,"value":1235,"marks":1236,"data":1237}," and HackerOne ",[],{},{"nodeType":343,"data":1239,"content":1241},{"uri":1240},"https://www.hackerone.com/application-security/guide-subdomain-takeovers",[1242],{"nodeType":247,"value":1243,"marks":1244,"data":1246},"posted a guide",[1245],{"type":294},{},{"nodeType":247,"value":1248,"marks":1249,"data":1250}," highlighting ways to take over subdomains , and it’s very easy to overlook.",[],{},{"nodeType":267,"data":1252,"content":1253},{},[1254],{"nodeType":247,"value":318,"marks":1255,"data":1256},[],{},{"nodeType":243,"data":1258,"content":1259},{},[1260],{"nodeType":247,"value":1261,"marks":1262,"data":1263},"Unfortunately there is no elegant solution to this problem, and it’s not easy to spot as you would need to review each url to see if it’s still in use, in addition to figuring out if the app makes use of the implicit grant flow. Even then, is the active url being used by the developer, or has an attacker already claimed it.",[],{},{"nodeType":243,"data":1265,"content":1266},{},[1267],{"nodeType":247,"value":1268,"marks":1269,"data":1270},"The best course of action here is likely to make use of a proxy that prevents users from accessing unclassified urls, or urls with a low reputation. However, you will risk breaking applications and making your developers angry. This also does not solve the dangling DNS issue, as with the EC2 instance problem above.",[],{},{"nodeType":243,"data":1272,"content":1273},{},[1274],{"nodeType":247,"value":1275,"marks":1276,"data":1277},"Another option is to contact vendors of apps that you’ve noticed including such urls in their apps and ask them to remove the stale entries from their apps.",[],{},{"nodeType":259,"data":1279,"content":1280},{},[1281],{"nodeType":247,"value":1282,"marks":1283,"data":1284},"You think you’ve been compromised. Now what?",[],{},{"nodeType":243,"data":1286,"content":1287},{},[1288],{"nodeType":247,"value":1289,"marks":1290,"data":1291},"\nRegardless of the method of compromise, there’s a few steps you can take to review what happened and to prevent further access into your environment.",[],{},{"nodeType":267,"data":1293,"content":1294},{},[1295],{"nodeType":247,"value":1296,"marks":1297,"data":1298},"Review app sign-in logs",[],{},{"nodeType":243,"data":1300,"content":1301},{},[1302,1306,1315],{"nodeType":247,"value":1303,"marks":1304,"data":1305},"In Azure Active Directory, head to ",[],{},{"nodeType":343,"data":1307,"content":1309},{"uri":1308},"https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null",[1310],{"nodeType":247,"value":1311,"marks":1312,"data":1314},"Enterprise applications",[1313],{"type":294},{},{"nodeType":247,"value":1316,"marks":1317,"data":1318}," and click on the app you want to review. In the new window, click on sign-in logs. You will be presented with a list of user sign-ins (interactive and non-interactive), service principal sign-ins, and managed identity sign-ins.",[],{},{"nodeType":308,"data":1320,"content":1324},{"target":1321},{"sys":1322},{"id":1323,"type":287,"linkType":288},"2L7vf2zjZBelGMJSjP2inY",[],{"nodeType":243,"data":1326,"content":1327},{},[1328],{"nodeType":247,"value":1329,"marks":1330,"data":1331},"What you typically need to look for is non-interactive user sign-in logs. Non-interactive sign-ins are related to login events performed on behalf of a user where usernames and passwords were not used (read: tokens). You want to review the sign-ins to determine if there were authentication events from IP addresses unrelated to normal employee activity, which can include discrepancies in geographical locations, and out-of-hours activity. Service principal sign-ins would also be of interest, however it would be more difficult to determine odd behavior as you wouldn’t have user sign-ins to compare with.",[],{},{"nodeType":243,"data":1333,"content":1334},{},[1335,1339,1347],{"nodeType":247,"value":1336,"marks":1337,"data":1338},"You could also review Azure’s ",[],{},{"nodeType":343,"data":1340,"content":1342},{"uri":1341},"https://portal.azure.com/#view/Microsoft_AAD_IAM/SecurityMenuBlade/~/RiskySignIns",[1343],{"nodeType":247,"value":1344,"marks":1345,"data":1346},"risky sign-ins ",[],{},{"nodeType":247,"value":1348,"marks":1349,"data":1350},"page, as these issues are likely to show up already classified. Just make sure your filters include non-interactive sign-in methods.",[],{},{"nodeType":267,"data":1352,"content":1353},{},[1354],{"nodeType":247,"value":1355,"marks":1356,"data":1357},"Review app audit logs",[],{},{"nodeType":243,"data":1359,"content":1360},{},[1361],{"nodeType":247,"value":1362,"marks":1363,"data":1364},"In the same window underneath sign-in logs, you’ll find the audit logs section. Audit logs will provide you with crucial information relating to when an app was integrated, by who, and which permissions were delegated.",[],{},{"nodeType":308,"data":1366,"content":1370},{"target":1367},{"sys":1368},{"id":1369,"type":287,"linkType":288},"5HRLoa9zlIWZdZGLN84Yae",[],{"nodeType":267,"data":1372,"content":1373},{},[1374],{"nodeType":247,"value":1375,"marks":1376,"data":1377},"Disable the app",[],{},{"nodeType":243,"data":1379,"content":1380},{},[1381],{"nodeType":247,"value":1382,"marks":1383,"data":1384},"If you’ve determined that an app was involved in an incident, the first step would be to disable the app to prevent malicious actors from performing any further authentication. Under the application’s properties, change the setting “Enable for users to sign-in?” from “Yes” to “No”, followed by clicking “Save.”",[],{},{"nodeType":308,"data":1386,"content":1390},{"target":1387},{"sys":1388},{"id":1389,"type":287,"linkType":288},"12NnJ8OhD3K27rFRJ48t6a",[],{"nodeType":267,"data":1392,"content":1393},{},[1394],{"nodeType":247,"value":1395,"marks":1396,"data":1397},"Revoke all refresh tokens",[],{},{"nodeType":243,"data":1399,"content":1400},{},[1401,1405,1414,1418,1427,1431,1440],{"nodeType":247,"value":1402,"marks":1403,"data":1404},"Disabling the app is not enough to prevent attackers from maintaining access to your environment. ",[],{},{"nodeType":343,"data":1406,"content":1408},{"uri":1407},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens",[1409],{"nodeType":247,"value":1410,"marks":1411,"data":1413},"Refresh tokens",[1412],{"type":294},{},{"nodeType":247,"value":1415,"marks":1416,"data":1417}," provide a way for apps to retrieve new access tokens without bugging users with pesky sign-in screens. Tokens are typically valid for between ",[],{},{"nodeType":343,"data":1419,"content":1421},{"uri":1420},"https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime:~:text=The%20default%20lifetime%20of%20an%20access%20token%20is%20variable.%20When%20issued%2C%20the%20default%20lifetime%20of%20an%20access%20token%20is%20assigned%20a%20random%20value%20ranging%20between%2060%2D90%20minutes%20(75%20minutes%20on%20average).",[1422],{"nodeType":247,"value":1423,"marks":1424,"data":1426},"60 to 90 minutes",[1425],{"type":294},{},{"nodeType":247,"value":1428,"marks":1429,"data":1430},", and if a refresh token has been issued, the token holder can request new tokens for ",[],{},{"nodeType":343,"data":1432,"content":1434},{"uri":1433},"https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#:~:text=The%20default%20lifetime%20for%20the%20refresh%20tokens%20is%2024%20hours%20for%20single%20page%20apps%20and%2090%20days%20for%20all%20other%20scenarios",[1435],{"nodeType":247,"value":1436,"marks":1437,"data":1439},"up to 90 days",[1438],{"type":294},{},{"nodeType":247,"value":1441,"marks":1442,"data":1443},"! ",[],{},{"nodeType":243,"data":1445,"content":1446},{},[1447],{"nodeType":247,"value":1448,"marks":1449,"data":1450},"So, revoking refresh tokens is an important step as part of the mitigation and recovery steps. This step can be performed with some PowerShell – luckily Microsoft provides pre-generated scripts for you to copy and paste. Click on ‘Permissions’ for the app, followed by ‘Review permissions.’ ",[],{},{"nodeType":308,"data":1452,"content":1456},{"target":1453},{"sys":1454},{"id":1455,"type":287,"linkType":288},"7vuFmlmZbzfNhWHPj8ToHm",[],{"nodeType":243,"data":1458,"content":1459},{},[1460],{"nodeType":247,"value":1461,"marks":1462,"data":1463},"In the new window, click on ‘This application is malicious and I’m compromised.’ This will present you with the necessary PowerShell scripts to remove users from the app, revoke all permissions granted to the app, and finally to revoke refresh tokens associated with the app.",[],{},{"nodeType":308,"data":1465,"content":1469},{"target":1466},{"sys":1467},{"id":1468,"type":287,"linkType":288},"4NnD6WKRHlnzKE0F4GUDEm",[],{"nodeType":267,"data":1471,"content":1472},{},[1473],{"nodeType":247,"value":1474,"marks":1475,"data":1476},"What to do if the initial access token was stolen",[],{},{"nodeType":243,"data":1478,"content":1479},{},[1480],{"nodeType":247,"value":1481,"marks":1482,"data":1483},"The initial access token cannot be revoked. In practice, if an attacker has managed to steal an access token it will be valid for the remainder of its lifespan, which is typically one hour. This is true even if the account is disabled, the compromised app deleted, and all refresh tokens revoked. If you’re responding to an incident, you will need to keep an eye on audit logs for an hour or more after performing the above steps to make sure the valid access token wasn’t still being used to perform actions in the environment.",[],{},{"nodeType":243,"data":1485,"content":1486},{},[1487,1491,1500,1504,1513],{"nodeType":247,"value":1488,"marks":1489,"data":1490},"Microsoft’s response to this was to develop something called ",[],{},{"nodeType":343,"data":1492,"content":1494},{"uri":1493},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation",[1495],{"nodeType":247,"value":1496,"marks":1497,"data":1499},"continuous access evaluation",[1498],{"type":294},{},{"nodeType":247,"value":1501,"marks":1502,"data":1503},". However, they admit in the article that it does not address a scenario where an attacker exfiltrated the token outside of a ",[],{},{"nodeType":343,"data":1505,"content":1507},{"uri":1506},"https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation#:~:text=Token%20export%20to%20a%20machine%20outside%20of%20a%20trusted%20network%20can%20be%20prevented%20with%20Conditional%20Access%20location%20policies",[1508],{"nodeType":247,"value":1509,"marks":1510,"data":1512},"trusted network",[1511],{"type":294},{},{"nodeType":247,"value":1514,"marks":1515,"data":1516},", in which case conditional access policy enforcement would be required to address the issue. Continuous access evaluation is ideal for handling specific cases of user access into the environment such as employee contract termination, or scenarios where conditional access policies are violated.",[],{},{"nodeType":259,"data":1518,"content":1519},{},[1520],{"nodeType":247,"value":1521,"marks":1522,"data":1523},"Conclusion",[],{},{"nodeType":243,"data":1525,"content":1526},{},[1527],{"nodeType":247,"value":1528,"marks":1529,"data":1530},"This article should have given you a better understanding of the most common issues presented when reviewing SaaS apps integrated into your environment. ",[],{},{"nodeType":243,"data":1532,"content":1533},{},[1534],{"nodeType":247,"value":1535,"marks":1536,"data":1537},"Determining whether using an app would result in compromise is not a simple task, especially if you haven’t observed malicious behavior. As such, the best course of action is to consider all angles, which include the business case of users requiring its use, the permission scopes, and whether the vendor’s security practices are in line with your requirements.",[],{},{"nodeType":243,"data":1539,"content":1540},{},[1541],{"nodeType":247,"value":1542,"marks":1543,"data":1544},"SaaS is a new(ish) frontier that can be really daunting to defend against attackers, but it's not impossible to reduce risk without simply blocking access to SaaS. And, remember: denying users access to tools will make them find ways around the limitations.",[],{},{"nodeType":243,"data":1546,"content":1547},{},[1548],{"nodeType":247,"value":1549,"marks":1550,"data":1551},"We hope this article helps you get a better handle on how to determine if you’ve been compromised, and respond to incidents involving SaaS apps and/or OAuth integrations to your core work platforms.",[],{},{"nodeType":308,"data":1553,"content":1557},{"target":1554},{"sys":1555},{"id":1556,"type":287,"linkType":288},"2y0INxqAi594O7rCAVKhTI",[],{"nodeType":243,"data":1559,"content":1560},{},[1561],{"nodeType":247,"value":29,"marks":1562,"data":1563},[],{},{"entries":1565},{"inline":1566,"hyperlink":1567,"block":1577},[],[1568,1573],{"sys":1569,"__typename":1570,"title":1571,"slug":1572},{"id":286},"BlogPosts","Consent phishing: the emerging phishing technique that can bypass 2FA","consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa",{"sys":1574,"__typename":1570,"title":1575,"slug":1576},{"id":360},"Is it safe to allow my employees to connect third-party apps to our M365/Google Workspace tenant?","is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365",[1578,1587,1595,1603,1611,1619,1627,1635,1642,1650,1658],{"sys":1579,"__typename":1580,"title":1581,"caption":62,"layoutMode":1582,"file":1583},{"id":312},"Image","Consent phishing example","Left aligned",{"url":1584,"width":1585,"height":1586},"https://images.ctfassets.net/y1cdw1ablpvd/6HYzFiGjBi8ae4IDlDhtbx/238e9456dfe0aa62b5723f95a944be36/image2.png",500,765,{"sys":1588,"__typename":1580,"title":1589,"caption":1590,"layoutMode":1582,"file":1591},{"id":375},"User consent for applications","Microsoft 365 permission-configuring page options",{"url":1592,"width":1593,"height":1594},"https://images.ctfassets.net/y1cdw1ablpvd/65HmUDGZM8VCDRIeUUdEPY/3fe867fef120cc2190f8440d11b760f7/image9.png",546,288,{"sys":1596,"__typename":1580,"title":1597,"caption":1598,"layoutMode":1582,"file":1599},{"id":846},"Adobe app integration details","Push's integration panel with our Adobe app details with verified publisher information",{"url":1600,"width":1601,"height":1602},"https://images.ctfassets.net/y1cdw1ablpvd/6Rg5TnvmAqZDFFyVx5x5I1/34fa8feaeb3775b6a96d6089772540be/image7.png",651,673,{"sys":1604,"__typename":1580,"title":1605,"caption":1606,"layoutMode":1582,"file":1607},{"id":859},"Acrobat integration details","Push's integration panel with our Adobe app details. This instance shows unverified, but is not malicious",{"url":1608,"width":1609,"height":1610},"https://images.ctfassets.net/y1cdw1ablpvd/3dKH7ObNU1nRkqvOUKuqw0/0ed37374b74952164b589f9b9b60aa29/image6.png",663,732,{"sys":1612,"__typename":1580,"title":1613,"caption":1614,"layoutMode":1582,"file":1615},{"id":919},"Diagrams.net oauth integration panel","Example of a Microsoft integration that was granted excessive permissions (Sites.Read.All)",{"url":1616,"width":1617,"height":1618},"https://images.ctfassets.net/y1cdw1ablpvd/1dbB6L6VNOL332mmGI4szQ/13a6a7dd456303fc75a404a44407653c/image5.png",652,728,{"sys":1620,"__typename":1580,"title":1621,"caption":1622,"layoutMode":1582,"file":1623},{"id":1323},"Azure active directory","An application's sign-in logs detailing user activity",{"url":1624,"width":1625,"height":1626},"https://images.ctfassets.net/y1cdw1ablpvd/6fHOFS9XjBLpUQBdgjrsoc/61411340965dd7c158e8e5b94671654a/image3.png",1150,545,{"sys":1628,"__typename":1580,"title":1629,"caption":1630,"layoutMode":1582,"file":1631},{"id":1369},"Azure enterprise app audit log page","Azure enterprise applications audit log page detailing the scopes that were delegated to a sign-in event.",{"url":1632,"width":1633,"height":1634},"https://images.ctfassets.net/y1cdw1ablpvd/75u2Mq5FiX2rVW1760QSNf/22cf898dd65e38ce7e6f585486148987/image1.png",748,229,{"sys":1636,"__typename":1580,"title":1637,"caption":1637,"layoutMode":1582,"file":1638},{"id":1389},"Disabling an Azure application integration",{"url":1639,"width":1640,"height":1641},"https://images.ctfassets.net/y1cdw1ablpvd/2qiV0t6oaYhIEHpJTh7VS5/b7b04792ad8c9c575b238ce629c5de9d/image8.png",984,300,{"sys":1643,"__typename":1580,"title":1644,"caption":1645,"layoutMode":1582,"file":1646},{"id":1455},"Azure permission review tab","Navigating to the permission review tab for an integrated application",{"url":1647,"width":1648,"height":1649},"https://images.ctfassets.net/y1cdw1ablpvd/2JtsVllKju7mumigafESsj/174a50115c736a288e2c3182a31c4e9d/image10.png",682,579,{"sys":1651,"__typename":1580,"title":1652,"caption":1653,"layoutMode":1582,"file":1654},{"id":1468},"Revoking access","Auto-generated PowerShell scripts to revoke access to an integrated application.",{"url":1655,"width":1656,"height":1657},"https://images.ctfassets.net/y1cdw1ablpvd/2VNTXdvWQeAmD2TTlz7iDA/2e26e2943f593315c32b82f58f20a665/image4.png",830,671,{"sys":1659,"__typename":1660,"type":1661,"ctaText":1662,"buttonLabel":1663,"buttonColour":1664,"buttonUrl":62},{"id":1556},"CtaWidget","LinkedIn","See more original research and technical content from Push","Follow us on LinkedIn","orange","json",{"items":1667},[],{},"Microsoft Azure attacks: Use SaaS apps to compromise an org ","2023-01-03T00:00:00.000Z",{"items":1672},[1673,1879],{"__typename":1570,"sys":1674,"content":1675,"title":1571,"synopsis":1859,"hashTags":62,"publishedDate":1860,"slug":1572,"tagsCollection":1861,"authorsCollection":1871},{"id":286},{"json":1676},{"nodeType":239,"data":1677,"content":1678},{},[1679,1686,1693,1699,1716,1722,1729,1736,1767,1773,1792,1810,1829],{"nodeType":243,"data":1680,"content":1681},{},[1682],{"nodeType":247,"value":1683,"marks":1684,"data":1685},"With more platforms adding support for Multi-factor Authentication (MFA) and users increasingly adopting it to secure their accounts, attackers are adapting and moving to new methods of compromising user accounts. In this post we’ll take a look at consent phishing and how it is being used to bypass MFA and also skirt key attributes of phishing that are taught in traditional user awareness campaigns, such as links to untrusted domains.",[],{},{"nodeType":243,"data":1687,"content":1688},{},[1689],{"nodeType":247,"value":1690,"marks":1691,"data":1692},"Imagine yourself sitting down at your desk first thing on a Monday morning, cup of coffee steaming next to your keyboard as you click through your backlog of emails. You open the below email and you see that Karl has shared a financial report with you. ",[],{},{"nodeType":308,"data":1694,"content":1698},{"target":1695},{"sys":1696},{"id":1697,"type":287,"linkType":288},"7zysXleQdpE6isqi9OU56l",[],{"nodeType":243,"data":1700,"content":1701},{},[1702,1706,1712],{"nodeType":247,"value":1703,"marks":1704,"data":1705},"Maybe you’ve been waiting for the latest financials or you suspect this was sent erroneously but you’re curious and want to take a peek. When you click the link you are presented with a prompt that with your Monday brain looks just like the “Yes give me access” prompt you’ve clicked through a thousand times. I mean, it's a ",[],{},{"nodeType":247,"value":1707,"marks":1708,"data":1711},"microsoftonline.com",[1709],{"type":1710},"bold",{},{"nodeType":247,"value":1713,"marks":1714,"data":1715}," domain, it's https and there’s a green tick in the corner so everything looks fine. ",[],{},{"nodeType":308,"data":1717,"content":1721},{"target":1718},{"sys":1719},{"id":1720,"type":287,"linkType":288},"6nPueTKEjLphqlytbQ0gcx",[],{"nodeType":243,"data":1723,"content":1724},{},[1725],{"nodeType":247,"value":1726,"marks":1727,"data":1728},"If you’d looked closely you may have noticed that this was in fact asking you to approve access rather than granting you access. But with your muscle memory in full control you click “Accept” before even glancing at the screen. You wait for the spreadsheet to open but are presented with a generic “File does not exist” error page. Oh well, apparently Karl realised his mistake and deleted the file or revoked your access. Onto the next email.",[],{},{"nodeType":243,"data":1730,"content":1731},{},[1732],{"nodeType":247,"value":1733,"marks":1734,"data":1735},"And just like that you’ve been consent phished. You’ve just granted the attackers permanent access to your account, which they retain even if you change your password or have MFA enabled. Chances are the attacker’s tools will immediately start downloading every piece of data you just granted them access to, which they can then explore at their leisure. ",[],{},{"nodeType":243,"data":1737,"content":1738},{},[1739,1743,1751,1755,1763],{"nodeType":247,"value":1740,"marks":1741,"data":1742},"To spot this you need to audit the apps you’ve approved, something you are doing regularly, right? Seriously though, this isn’t something many people check. These integrations are designed to be as seamless as possible and not to get in your way. But if this has piqued your interest you can check what access you have personally granted on ",[],{},{"nodeType":343,"data":1744,"content":1746},{"uri":1745},"https://myaccount.google.com/permissions",[1747],{"nodeType":247,"value":1748,"marks":1749,"data":1750},"Google Workspace",[],{},{"nodeType":247,"value":1752,"marks":1753,"data":1754}," and ",[],{},{"nodeType":343,"data":1756,"content":1758},{"uri":1757},"https://myapps.microsoft.com/",[1759],{"nodeType":247,"value":1760,"marks":1761,"data":1762},"Microsoft 365",[],{},{"nodeType":247,"value":1764,"marks":1765,"data":1766},".",[],{},{"nodeType":308,"data":1768,"content":1772},{"target":1769},{"sys":1770},{"id":1771,"type":287,"linkType":288},"BPIX02LWblUNnkQw1TFWD",[],{"nodeType":243,"data":1774,"content":1775},{},[1776,1780,1788],{"nodeType":247,"value":1777,"marks":1778,"data":1779},"If you’d been paying attention when you clicked “Accept” you might have noticed that you were granting some pretty serious permissions here. These permissions allow the attackers to read and write any files you have access to - they could download all these files and then delete them. The attackers also got permission to send emails as you. They could send emails to your colleagues from you and phish them too, this isn’t impersonation where the email just “looks” like it came from you, the email DID come from you. Lastly the attackers asked for permission to manipulate your Outlook settings, with this they could set up a ",[],{},{"nodeType":343,"data":1781,"content":1783},{"uri":1782},"/features/detect-malicious-mail-rules/",[1784],{"nodeType":247,"value":1785,"marks":1786,"data":1787},"mail forwarding rule",[],{},{"nodeType":247,"value":1789,"marks":1790,"data":1791}," so that they get copies of all your emails forwarded to them directly without even having to log in. And all of this happens until you delete the underlying OAuth app.",[],{},{"nodeType":243,"data":1793,"content":1794},{},[1795,1799,1806],{"nodeType":247,"value":1796,"marks":1797,"data":1798},"In a ",[],{},{"nodeType":343,"data":1800,"content":1802},{"uri":1801},"https://www.microsoft.com/security/blog/2020/07/08/protecting-remote-workforce-application-attacks-consent-phishing/",[1803],{"nodeType":247,"value":970,"marks":1804,"data":1805},[],{},{"nodeType":247,"value":1807,"marks":1808,"data":1809}," Microsoft warns that these attacks are on the rise. One notable example of this comes from the SANS Institute. They reported in August of 2020 that they had fallen victim to one of these attacks. As part of the investigation they produced a report with details on how the attackers managed to convince an employee to install a malicious Microsoft 365 add-in to gain access. ",[],{},{"nodeType":243,"data":1811,"content":1812},{},[1813,1817,1825],{"nodeType":247,"value":1814,"marks":1815,"data":1816},"So what can you do about this threat today? The only fool proof method of preventing this kind of attack is to prevent users from granting access to third party apps. This is terrible for users though, and you’ll be missing out on all the productivity benefits these apps can bring. A more balanced approach is to let users find and request apps, but have administrators approve the apps. More and more platforms (including Microsoft 365 and Slack) are offering built-in “admin consent” workflows to make getting a second pair of eyes on new apps even easier. You can also make it even easier for users  by pre-approving widely used apps from trusted publishers and users won’t even notice there is new protection in place 99% of the time. We are also actively working on this problem and if you would like to join our ",[],{},{"nodeType":343,"data":1818,"content":1820},{"uri":1819},"/features/secure-oauth-permissions-and-applications/",[1821],{"nodeType":247,"value":1822,"marks":1823,"data":1824},"early access program",[],{},{"nodeType":247,"value":1826,"marks":1827,"data":1828}," please get in touch.",[],{},{"nodeType":243,"data":1830,"content":1831},{},[1832,1836,1844,1848,1855],{"nodeType":247,"value":1833,"marks":1834,"data":1835},"Consent phishing is still an emerging technique and we believe that it has not reached peak usage by attackers yet. We are actively researching this attack technique as it continues to evolve. Follow us on Twitter ",[],{},{"nodeType":343,"data":1837,"content":1839},{"uri":1838},"https://twitter.com/PushSecurity",[1840],{"nodeType":247,"value":1841,"marks":1842,"data":1843},"@pushsecurity",[],{},{"nodeType":247,"value":1845,"marks":1846,"data":1847},", ",[],{},{"nodeType":343,"data":1849,"content":1851},{"uri":1850},"https://www.linkedin.com/company/push-security",[1852],{"nodeType":247,"value":1661,"marks":1853,"data":1854},[],{},{"nodeType":247,"value":1856,"marks":1857,"data":1858}," or subscribe to our mailing list below to get the latest updates and tips for managing this for your users.",[],{},"Consent phishing is an emerging technique attackers are using to compromise user accounts, even if they have Multi-factor Authentication (MFA or 2FA) enabled.","2021-07-06T00:00:00.000+01:00",{"items":1862},[1863,1867],{"sys":1864,"name":1866},{"id":1865},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1868,"name":1870},{"id":1869},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1872},[1873],{"fullName":1874,"firstName":1875,"jobTitle":1876,"profilePicture":1877},"Alex Triaca","Alex","Chief Architect",{"url":1878},"https://images.ctfassets.net/y1cdw1ablpvd/LmC3LyTH5V9NthbqKuqA2/8291887e41c15613bf98f6fd55773817/117-0-2.jpg",{"__typename":1570,"sys":1880,"content":1882,"title":2347,"synopsis":2348,"hashTags":62,"publishedDate":2349,"slug":2350,"tagsCollection":2351,"authorsCollection":2359},{"id":1881},"14NiRrBrLFVkR8h05RCD7F",{"json":1883},{"data":1884,"content":1885,"nodeType":239},{},[1886,1894,1902,1924,1932,1953,1960,1966,1973,1980,1987,1994,2001,2008,2015,2022,2029,2035,2042,2049,2056,2063,2081,2087,2094,2100,2107,2113,2120,2127,2134,2178,2185,2205,2212,2302,2322,2328,2335,2341],{"data":1887,"content":1888,"nodeType":243},{},[1889],{"data":1890,"marks":1891,"value":1893,"nodeType":247},{},[1892],{"type":939},"You get a call from your CFO: “Jenkins! ACME just called to find out why we haven’t paid invoices for the last 3 months? Didn’t you make payment last week?”",{"data":1895,"content":1896,"nodeType":243},{},[1897],{"data":1898,"marks":1899,"value":1901,"nodeType":247},{},[1900],{"type":939},"You think back a bit. “Yip! I received another invoice a few days ago and made payment yesterday. I also paid the contractor doing renovations on your house. By the way, congrats on the new kitchen.”",{"data":1903,"content":1904,"nodeType":243},{},[1905,1909,1920],{"data":1906,"marks":1907,"value":1908,"nodeType":247},{},[],"Many companies have had similar incidents occur over the last couple of years - it’s a classic ",{"data":1910,"content":1914,"nodeType":282},{"target":1911},{"sys":1912},{"id":1913,"type":287,"linkType":288},"pj2eLZXa4PyrY1DD4NCHt",[1915],{"data":1916,"marks":1917,"value":1919,"nodeType":247},{},[1918],{"type":294},"Business Email Compromise",{"data":1921,"marks":1922,"value":1923,"nodeType":247},{},[]," (BEC) scenario. An attacker managed to gain access to Jenkins in accounting’s email and intercepted email from legitimate creditors, replacing their banking details with the attacker's own, and even forging invoices from non-existent suppliers. Forged emails are then sent from the CEO or CFO to approve the payments.",{"data":1925,"content":1926,"nodeType":243},{},[1927],{"data":1928,"marks":1929,"value":1931,"nodeType":247},{},[1930],{"type":939},"But how did they manage to gain access to the account? Our security team enforced multi-factor authentication (MFA) a few weeks ago. We’re supposed to be secure!?",{"data":1933,"content":1934,"nodeType":243},{},[1935,1939,1949],{"data":1936,"marks":1937,"value":1938,"nodeType":247},{},[],"As detailed in our ",{"data":1940,"content":1943,"nodeType":282},{"target":1941},{"sys":1942},{"id":286,"type":287,"linkType":288},[1944],{"data":1945,"marks":1946,"value":1948,"nodeType":247},{},[1947],{"type":294},"blog post about consent phishing",{"data":1950,"marks":1951,"value":1952,"nodeType":247},{},[],", this attack method will bypass MFA, since the paired malicious third-party integration app (sometimes called OAuth) generates an authentication token. MFA checks are only applied when logging in with your username and password, so in this case, the attacker was able to get a valid access token into Jenkins’ account. ",{"data":1954,"content":1955,"nodeType":243},{},[1956],{"data":1957,"marks":1958,"value":1959,"nodeType":247},{},[],"While this isn’t necessarily the same level of access provided with a username/password combo, it might be, based on the scopes Jenkins granted the third-party integration app access to when they clicked ‘Accept’. ",{"data":1961,"content":1965,"nodeType":308},{"target":1962},{"sys":1963},{"id":1964,"type":287,"linkType":288},"5BIHqq49jJOHsEHLgc8Tb9",[],{"data":1967,"content":1968,"nodeType":243},{},[1969],{"data":1970,"marks":1971,"value":1972,"nodeType":247},{},[],"The list of third-party integration scopes can include anything from relatively benign things like retrieving your name, surname, and email address, to more dangerous or excessive permissions such as full access to your mailbox, the ability to configure mail rules to forward or delete email, and full access to your OneDrive or Sharepoint files. Worse case scenario: if you belong to groups with password reset capabilities, the attacker may be able to perform full account takeovers.",{"data":1974,"content":1975,"nodeType":267},{},[1976],{"data":1977,"marks":1978,"value":1979,"nodeType":247},{},[],"How do you detect and respond to such incidents?",{"data":1981,"content":1982,"nodeType":243},{},[1983],{"data":1984,"marks":1985,"value":1986,"nodeType":247},{},[],"The main issue is detection. In my experience as an incident responder working with Fortune 500 companies at MWR Infosecurity, I found that BEC attacks are usually detected when associated parties start asking questions about non-payment (or unrecognized payments), which can take weeks or months from the day of compromise. By this point your cloud provider’s logs are likely to have rolled over and you’re unlikely to find much useful information to populate your incident timeline.",{"data":1988,"content":1989,"nodeType":243},{},[1990],{"data":1991,"marks":1992,"value":1993,"nodeType":247},{},[],"Shameless plug alert: Push’s ChatOps functionality can greatly assist here as it detects such malicious rules when created, and sends a message to the owner of the account (Jenkins) asking if they created the rule. Sometimes a user will have a legitimate use for creating mail rules to forward messages to another account, and this allows them to acknowledge the rule and mark it as safe. In case they didn’t create it, they can flag it as such and this will cause an alert to be sent to their security team. This is practically instant detection and invaluable when preventing fraudulent payments. And getting input from the account owner cuts way down on alert fatigue for your team.",{"data":1995,"content":1996,"nodeType":267},{},[1997],{"data":1998,"marks":1999,"value":2000,"nodeType":247},{},[],"\nMitigate the attack \n",{"data":2002,"content":2003,"nodeType":243},{},[2004],{"data":2005,"marks":2006,"value":2007,"nodeType":247},{},[],"Once you’ve detected the incident, your next step is to remediate. Typically, this would require someone on the  security team to find the offending rule in your cloud provider’s control panel to disable it, which can take some time, depending on the team’s availability and other factors. ",{"data":2009,"content":2010,"nodeType":243},{},[2011],{"data":2012,"marks":2013,"value":2014,"nodeType":247},{},[],"Detecting the creation of malicious mail rules would require you to configure policies and alerts in your cloud provider’s control panel, and requires someone from the security team to monitor for notifications. If your IT person is also responsible for security in your organization, it’s unlikely that they would spend an appropriate amount of time looking at alerts and, in many cases, would need to follow up with employees to confirm if they had indeed created the rules. If you’re a larger organization, your dedicated security person will likely have higher priority tasks, too.",{"data":2016,"content":2017,"nodeType":243},{},[2018],{"data":2019,"marks":2020,"value":2021,"nodeType":247},{},[],"Discovering a breach is usually related to someone noticing unrecognized payments, vendors querying a lack of payments, or phishing emails being sent to fellow employees or contacts outside of your organization. If an attacker is careful to avoid causing too much interruption, then it’s likely that you won’t discover the breach until all the damage has been done. Usually by this point, performing an investigation will reveal very little due to important investigation artifacts disappearing due to logs rolling over.",{"data":2023,"content":2024,"nodeType":243},{},[2025],{"data":2026,"marks":2027,"value":2028,"nodeType":247},{},[],"If you’re using Push, we would automatically detect the mail rule, talk to the employee whose email the mail rule was created within, and if they didn’t set the mail rule up themselves, we would assume it was created by an attacker and alert your security team. Push’s ChatOps will disable the offending rule and mark it as suspicious.",{"data":2030,"content":2034,"nodeType":308},{"target":2031},{"sys":2032},{"id":2033,"type":287,"linkType":288},"6rV4EiwTgmBsmYEaUvv55b",[],{"data":2036,"content":2037,"nodeType":243},{},[2038],{"data":2039,"marks":2040,"value":2041,"nodeType":247},{},[],"If this were a typical credential compromise scenario, the account’s password would be reset and everyone would go about their lives. However, since no credentials were compromised in our example, you’d go onto the next step to…",{"data":2043,"content":2044,"nodeType":267},{},[2045],{"data":2046,"marks":2047,"value":2048,"nodeType":247},{},[],"Remove the app’s permissions and revoke the tokens",{"data":2050,"content":2051,"nodeType":243},{},[2052],{"data":2053,"marks":2054,"value":2055,"nodeType":247},{},[],"As I mentioned earlier, third-party integration apps generate tokens, which can be valid for an hour to sometimes 24 hours or more, depending on the integrating app, how it is being used, and if it makes use of refresh tokens.",{"data":2057,"content":2058,"nodeType":243},{},[2059],{"data":2060,"marks":2061,"value":2062,"nodeType":247},{},[],"Invalidating third-party integration access permissions requires accessing your cloud provider’s control panel. In this example, you need to revoke access for a malicious app in a Microsoft 365 tenant. Microsoft’s guidance on this is very useful, but unfortunately not as simple as just pressing a button.",{"data":2064,"content":2065,"nodeType":243},{},[2066,2070,2077],{"data":2067,"marks":2068,"value":2069,"nodeType":247},{},[],"To view Microsoft’s recommendations for dealing with a malicious app, you’d need to navigate to the ",{"data":2071,"content":2072,"nodeType":343},{"uri":1308},[2073],{"data":2074,"marks":2075,"value":1311,"nodeType":247},{},[2076],{"type":294},{"data":2078,"marks":2079,"value":2080,"nodeType":247},{},[]," section in Azure, and locate the app by searching for its name or Application ID, which can be found in the Push app’s OAuth integrations page. In the app menu, click on ‘Permissions,’ then ‘Review permissions.’ ",{"data":2082,"content":2086,"nodeType":308},{"target":2083},{"sys":2084},{"id":2085,"type":287,"linkType":288},"5Z6T2anRIJ1he2phTbcFot",[],{"data":2088,"content":2089,"nodeType":243},{},[2090],{"data":2091,"marks":2092,"value":2093,"nodeType":247},{},[],"On the slide-out menu, select “This application is malicious and I’m compromised.”",{"data":2095,"content":2099,"nodeType":308},{"target":2096},{"sys":2097},{"id":2098,"type":287,"linkType":288},"2lGnKdKTjXAVYBiOtYrbEl",[],{"data":2101,"content":2102,"nodeType":243},{},[2103],{"data":2104,"marks":2105,"value":2106,"nodeType":247},{},[],"This will provide you with pre-generated PowerShell scripts to 1) Remove all users assigned to the application, 2) Revoke all permissions granted to the application, and 3) Revoke refresh tokens for all users.",{"data":2108,"content":2112,"nodeType":308},{"target":2109},{"sys":2110},{"id":2111,"type":287,"linkType":288},"3qdGQ12PdZFLEyIpmMkwPi",[],{"data":2114,"content":2115,"nodeType":267},{},[2116],{"data":2117,"marks":2118,"value":2119,"nodeType":247},{},[],"How to prevent similar attacks",{"data":2121,"content":2122,"nodeType":243},{},[2123],{"data":2124,"marks":2125,"value":2126,"nodeType":247},{},[],"A very important step following a compromise is to review what happened, how it happened, and what could be done to prevent the incident from occurring again. The interesting part about this incident is that it wasn’t due to a weak password, or even the lack of MFA that led to compromise. It came down to social engineering: instructing an employee to click a link by an account masquerading as their CFO.",{"data":2128,"content":2129,"nodeType":243},{},[2130],{"data":2131,"marks":2132,"value":2133,"nodeType":247},{},[],"For the purposes of this hypothetical incident, we’ll establish that the following occurred:",{"data":2135,"content":2136,"nodeType":2177},{},[2137,2147,2157,2167],{"data":2138,"content":2139,"nodeType":1108},{},[2140],{"data":2141,"content":2142,"nodeType":243},{},[2143],{"data":2144,"marks":2145,"value":2146,"nodeType":247},{},[],"Andrew Jenkins was targeted in a phishing attack",{"data":2148,"content":2149,"nodeType":1108},{},[2150],{"data":2151,"content":2152,"nodeType":243},{},[2153],{"data":2154,"marks":2155,"value":2156,"nodeType":247},{},[],"Andrew authenticated via Microsoft 365, which is a legitimate and expected authentication mechanism and occurs almost daily",{"data":2158,"content":2159,"nodeType":1108},{},[2160],{"data":2161,"content":2162,"nodeType":243},{},[2163],{"data":2164,"marks":2165,"value":2166,"nodeType":247},{},[],"No attachments were downloaded, thus in this isolated incident there was no code execution on Andrew’s host, meaning that Anti-Virus or Endpoint Detection & Response (EDR) would not have prevented it",{"data":2168,"content":2169,"nodeType":1108},{},[2170],{"data":2171,"content":2172,"nodeType":243},{},[2173],{"data":2174,"marks":2175,"value":2176,"nodeType":247},{},[],"The attacker gained full access to Andrew’s mailbox","unordered-list",{"data":2179,"content":2180,"nodeType":243},{},[2181],{"data":2182,"marks":2183,"value":2184,"nodeType":247},{},[],"The malicious app was disabled by Microsoft after some time, so a full investigation into its capabilities was not possible. We don’t know whether another phishing page was presented after the integration took place, thus to be on the safe side we need to assume this happened and led to credential compromise.",{"data":2186,"content":2187,"nodeType":243},{},[2188,2192,2201],{"data":2189,"marks":2190,"value":2191,"nodeType":247},{},[],"The app was unverified, which has historically been true in most of these scenarios. Publishers need to associate a Microsoft Partner Network (MPN) ID with the app, which follows a ",{"data":2193,"content":2195,"nodeType":343},{"uri":2194},"https://docs.microsoft.com/en-us/partner-center/verification-responses",[2196],{"data":2197,"marks":2198,"value":2200,"nodeType":247},{},[2199],{"type":294},"verification process",{"data":2202,"marks":2203,"value":2204,"nodeType":247},{},[],", in order to have it appear as a verified app. This Microsoft 365 tenant was configured to allow unverified integrations due to an oversight following an app migration project.",{"data":2206,"content":2207,"nodeType":243},{},[2208],{"data":2209,"marks":2210,"value":2211,"nodeType":247},{},[],"This leads us to the following to help prevent similar attacks from occurring in future, and to make sure there is no opportunity for the attacker to leverage any existing foothold:",{"data":2213,"content":2214,"nodeType":2177},{},[2215,2225,2235,2245,2266,2282,2292],{"data":2216,"content":2217,"nodeType":1108},{},[2218],{"data":2219,"content":2220,"nodeType":243},{},[2221],{"data":2222,"marks":2223,"value":2224,"nodeType":247},{},[],"Disable the integration and remove the malicious app’s permissions",{"data":2226,"content":2227,"nodeType":1108},{},[2228],{"data":2229,"content":2230,"nodeType":243},{},[2231],{"data":2232,"marks":2233,"value":2234,"nodeType":247},{},[],"Reset Andrew Jenkins’ credentials",{"data":2236,"content":2237,"nodeType":1108},{},[2238],{"data":2239,"content":2240,"nodeType":243},{},[2241],{"data":2242,"marks":2243,"value":2244,"nodeType":247},{},[],"Be aware of and review newly created mail rules",{"data":2246,"content":2247,"nodeType":1108},{},[2248],{"data":2249,"content":2250,"nodeType":243},{},[2251,2254,2263],{"data":2252,"marks":2253,"value":29,"nodeType":247},{},[],{"data":2255,"content":2257,"nodeType":343},{"uri":2256},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal",[2258],{"data":2259,"marks":2260,"value":2262,"nodeType":247},{},[2261],{"type":294},"Confirm that the Microsoft 365 tenant is set to disallow integrations from unverified apps",{"data":2264,"marks":2265,"value":29,"nodeType":247},{},[],{"data":2267,"content":2268,"nodeType":1108},{},[2269],{"data":2270,"content":2271,"nodeType":2177},{},[2272],{"data":2273,"content":2274,"nodeType":1108},{},[2275],{"data":2276,"content":2277,"nodeType":243},{},[2278],{"data":2279,"marks":2280,"value":2281,"nodeType":247},{},[],"Note: as of November 9th, 2020, integrations with unverified apps are disabled by default.",{"data":2283,"content":2284,"nodeType":1108},{},[2285],{"data":2286,"content":2287,"nodeType":243},{},[2288],{"data":2289,"marks":2290,"value":2291,"nodeType":247},{},[],"Communicate with employees and other affected parties to be weary of these types of attacks",{"data":2293,"content":2294,"nodeType":1108},{},[2295],{"data":2296,"content":2297,"nodeType":243},{},[2298],{"data":2299,"marks":2300,"value":2301,"nodeType":247},{},[],"Perform regular audits against your Microsoft 365 tenants to highlight any discrepancies and integrations with unusual or unnecessary permissions.",{"data":2303,"content":2304,"nodeType":243},{},[2305,2309,2318],{"data":2306,"marks":2307,"value":2308,"nodeType":247},{},[],"Microsoft implementing safe defaults towards limiting integrations from unverified publishers was a step in the right direction. However, there have been ",{"data":2310,"content":2312,"nodeType":343},{"uri":2311},"https://www.proofpoint.com/us/blog/cloud-security/oivavoii-active-malicious-hybrid-cloud-threats-campaign",[2313],{"data":2314,"marks":2315,"value":2317,"nodeType":247},{},[2316],{"type":294},"cases",{"data":2319,"marks":2320,"value":2321,"nodeType":247},{},[]," where attackers utilized compromised publishers to perform similar attacks. ",{"data":2323,"content":2324,"nodeType":267},{},[2325],{"data":2326,"marks":2327,"value":1521,"nodeType":247},{},[],{"data":2329,"content":2330,"nodeType":243},{},[2331],{"data":2332,"marks":2333,"value":2334,"nodeType":247},{},[],"While the process isn’t exactly straightforward, catching early indicators like malicious mail rules helps you prevent an attacker from launching additional attacks like phishing campaigns as they try to gain access to sensitive business data. Removing the mail rule is just the start of the process, you really need to revoke permissions and take the other steps we covered in this post to stop an attack from going any further. We’ll publish some more content on SaaS incident response on our blog, so subscribe to get our guidance straight into your inbox.",{"data":2336,"content":2340,"nodeType":308},{"target":2337},{"sys":2338},{"id":2339,"type":287,"linkType":288},"6oHRbGLus4bstsAc7E0zBD",[],{"data":2342,"content":2343,"nodeType":243},{},[2344],{"data":2345,"marks":2346,"value":29,"nodeType":247},{},[],"How to kick off an incident response investigation for a compromised SaaS account","We'll walk through how to quickly detect and mitigate business email compromise (BEC) and then prevent future attacks.","2022-09-20T00:00:00.000Z","how-to-kick-off-an-incident-response-investigation-for-a-compromised-saas",{"items":2352},[2353,2355],{"sys":2354,"name":1870},{"id":1869},{"sys":2356,"name":2358},{"id":2357},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":2360},[2361],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2362},{"url":236},"how-attackers-compromise-azure-organizations-through-saas-apps","blog/how-attackers-compromise-azure-organizations-through-saas-apps",{"json":2366},{"data":2367,"content":2368,"nodeType":239},{},[2369],{"data":2370,"content":2371,"nodeType":243},{},[2372],{"data":2373,"marks":2374,"value":2375,"nodeType":247},{},[],"Common ways an app or integration could lead to compromise in Microsoft Azure: consent phishing, unverified apps, hijackable URLs & implicit grant flow. ",{"id":2377,"publishedAt":2378},"3JXKiUMGU8JBpndhLRYOCJ","2023-08-31T12:26:21.402Z",{"items":2380},[2381,2383],{"sys":2382,"name":1866},{"id":1865},{"sys":2384,"name":1870},{"id":1869},"YlOcrAdsjaXTAw1VFnkLENeuuc1q0FEC6JKvoY9qB2w",1784196727285]