Cyberdudebivash

A “Quishing” Attack Just Bypassed Your MFA. Here’s How to Hunt for the Attacker’s Stolen Session Tokens & Malicious OAuth Apps in Entra ID.

, , ,
CYBERDUDEBIVASH

“Quishing” Bypassed Your MFA.Hunt the Stolen Sessions & Malicious OAuth Apps in Entra ID

By CyberDudeBivash · Microsoft 365 IR, AppSec & Threat Intel · Apps & Services · Playbooks · ThreatWire · Crypto Security

CyberDudeBivash®

TL;DR 

  • Quishing (QR phishing) drives users to attacker pages that steal session cookies or trick them into consenting OAuth apps—bypassing MFA prompts.
  • Hunt fast for stolen sessions (suspicious sign-ins, MailItemsAccessed spikes, unfamiliar devices/ASNs) and rogue OAuth apps (unverified publishers, broad scopes, new consents).
  • Use this playbook’s GUI stepsKQL ideas, and safe PowerShell concepts to find → validate → revoke → harden.
  • Outcome: 90-minute triage, 24-hour containment, 7-day governance to block re-consent and cut token replay.

Edureka
SOC/M365 IR, KQL & Defender training—team-ready.Alibaba Cloud
Cross-region backups & DR for mailbox/file recovery.Kaspersky
Reduce initial footholds that lead to token theft.AliExpress
IR lab hardware: keys, SSDs, cables, analyzers.

Disclosure: We may earn commissions from partner links. Handpicked by CyberDudeBivash.Table of Contents

  1. What “Quishing” Changes in Your Threat Model
  2. 90-Minute QuickCheck (Find Blast Radius)
  3. KQL Hunt Ideas: Sessions, Consent, Exfil
  4. GUI Checklist: Entra ID & Exchange/SharePoint
  5. PowerShell (Concepts, Defense-Only)
  6. Containment & Revocation
  7. 7-Day Hardening: Consent, CA, Devices
  8. Comms, Legal, Evidence
  9. FAQ

What “Quishing” Changes in Your Threat Model

QR-code lures move people to attacker-controlled pages. From there, adversaries steal session cookies/tokens or trick users into granting OAuth app consent. Once tokens exist, MFA isn’t re-prompted. Your job: find the hijacked sessions and any newly consented apps before data walks out.

  • Symptoms: unfamiliar devices/ASNs, sudden MailItemsAccessed bursts, SharePoint/OneDrive mass reads, Teams file pulls.
  • Persistence: refresh tokens, rogue service principals, inbox forwarding rules, external sharing links.

90-Minute QuickCheck (Find Blast Radius)

  1. Enterprise Apps sweep: Entra ID → Enterprise applications → “All applications”; add columns: Publisher verificationPermissionsUser consentSign-in audience. Sort by Created/Added date.
  2. Consent timeline: Audit logs around the “first seen” quish event (time window from mail read → site visit → consent).
  3. Sign-in deltas: New device, new browser, new ASN, or unfamiliar geos on target accounts.
  4. Mailbox artifacts: New forwarding/transport or hidden rules; delegates added; eDiscovery if needed.
  5. SharePoint/OneDrive: Recent external links; high-volume reads; download spikes after consent.

KQL Hunt Ideas: Sessions, Consent, Exfil

Run in Microsoft Sentinel/Defender. Adjust table/field names to your workspace. These are defensive patterns (no exploit steps).

1) New Consent with High-Risk Scopes (24h)

AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has "Consent to application"
| extend Scopes = tostring(TargetResources[0].modifiedProperties[?].newValue)
| where Scopes has_any ("Mail.Read","Files.Read.All","Files.ReadWrite.All","Sites.Read.All","offline_access","User.Read.All")
| summarize count(), Apps=make_set(tostring(TargetResources[0].displayName)) by Initiator=tostring(InitiatedBy.user.userPrincipalName)

2) Hijacked Session Indicators

SigninLogs
| where TimeGenerated > ago(48h) and ResultType == 0
| summarize Geos=dcount(LocationDetails.countryOrRegion), Browsers=make_set(DeviceDetail.browser) by UserPrincipalName
| where Geos > 1

3) MailItemsAccessed After Consent

OfficeActivity
| where TimeGenerated > ago(24h) and Operation =~ "MailItemsAccessed"
| summarize accesses=count() by UserId, bin(TimeGenerated, 30m)
| where accesses > 300

4) Service Principal Sign-ins from Rare ASNs

SigninLogs
| where ServicePrincipalId != "" and ResultType == 0
| summarize ASNCount=dcount(NetworkLocationDetails.asn) by ServicePrincipalId
| where ASNCount > 1

5) New Inbox Rules / Forwarding (7d)

OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation has_any ("New-InboxRule","Set-InboxRule","Set-Mailbox")
| summarize rules=count(), sample=any(Parameters) by UserId
| where rules > 0

Master KQL & M365 IR (analyst track) →

GUI Checklist: Entra ID & Exchange/SharePoint

Entra ID → Enterprise Applications

  • Filter Unverified publisher, check PermissionsUser consentSign-in audience, and Added on date.
  • Open app → Permissions: capture scopes & consentors; verify business owner; evaluate if scopes exceed purpose.

Exchange Online

  • Mailbox rules (auto-forward, move/delete), delegates, send-as/send-on-behalf additions.
  • Transport rules for external forwarding; Journaling/ExO audit to correlate spikes.

SharePoint/OneDrive

  • Recent external links & anonymous sharing; unusual downloads per site.

Teams

  • Unexpected file pulls, chat exports, or meeting recordings from rare geos.

PowerShell (Concepts, Defense-Only)

Use Microsoft Graph PowerShell with Application.Read.All, Directory.Read.All, AuditLog.Read.All to enumerate apps, consents, and sign-ins. Keep tokens secure and operate from a jump box.

# Install-Module Microsoft.Graph -Scope CurrentUser
# Connect-MgGraph -Scopes "Application.Read.All,Directory.Read.All,AuditLog.Read.All"
# Enumerate recent enterprise apps (service principals)
# $apps = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/servicePrincipals?$select=id,appId,displayName,signInAudience,verifiedPublisher&$top=999"
# Next: pull OAuth permissions and consent records per app, flag unverified publishers and risky scopes.

Containment & Revocation

  1. Sessions: Revoke user sessions and refresh tokens for impacted accounts. Force sign-out across devices.
  2. Apps: Remove user/admin consent for malicious or unneeded apps; block sign-ins for the service principal; delete if unused.
  3. Conditional Access (temporary): Block unverified publisher apps; require compliant devices for risky app access; enforce location/device posture checks.
  4. Mailbox hygiene: Remove auto-forward/hidden rules; reset delegates; review external sharing links.

Secure remote IR with TurboVPN for teams →

7-Day Hardening: Consent, CA, Devices

Day 0–1

  • Disable end-user consent; enable Admin consent workflow with SLA.
  • Conditional Access: require compliant device for high-risk scopes; block unverified publishers; evaluate sign-in risk.

Day 2–4

  • Inventory apps with owners & scopes; rotate app secrets/certs; delete unused registrations.
  • Ship permanent SIEM alerts: consent events, MailItemsAccessed spikes, rule changes, rare ASN service-principal sign-ins.

Day 5–7

  • Monthly permissions attestation; auto-expire stale consents.
  • Tabletop: “Quish → Consent → Token Replay” to validate legal, comms, and IR timings.

The Hindu (Pro) — policy & risk intelYES Education — SOC/M365 IR upskillingVPN hidemy.name — secure IR travelTata Neu — cards & perks for SaaS

Comms, Legal, Evidence

  • Evidence: Export consent records, app metadata, sign-ins, MailItemsAccessed, Teams/SharePoint activity; hash & timestamp; store in a write-once evidence bucket.
  • Notices: If regulated data could be accessed, coordinate regulator/customer comms with privacy/legal.
  • Exec brief: facts-only: cause, data at risk, containment time, policy changes, 7-day plan.

Need Expert Help? Engage CyberDudeBivash M365 IR & App Governance

  • Emergency session hijack response (Exchange/SharePoint/Teams)
  • Admin-consent workflow & app governance rollout
  • SIEM/KQL detections & SOAR playbooks
  • Board reporting & tabletop workshops

Explore Apps & Services  |  cyberdudebivash.com · cyberbivash.blogspot.com · cyberdudebivash-news.blogspot.com · cryptobivash.code.blog

Next Reads from CyberDudeBivash

FAQ

Is this an exploit guide?

No. This is defensive-only—playbooks and hunts to protect your own tenant; no exploit instructions.

Do email gateways still matter?

Yes—for initial filtering. But session-centric abuse lives beyond gateways, so you need app, token, and device controls.

Fastest wins today?

Disable end-user consent, enable admin-consent workflow, add a Conditional Access block for unverified publishers, and deploy the consent/MailItemsAccessed hunts above.

Will this break business apps?

Use a golden allowlist and a fast review SLA. Most orgs cut risk dramatically without blocking legitimate work.

CyberDudeBivash — Global Cybersecurity Brand · cyberdudebivash.com · cyberbivash.blogspot.com · cyberdudebivash-news.blogspot.com · cryptobivash.code.blog

Author: CyberDudeBivash · Powered by CyberDudeBivash · © All Rights Reserved.

 #CyberDudeBivash #Quishing #MFABypass #SessionHijacking #OAuth #EntraID #KQL #IncidentResponse #ConditionalAccess #AppGovernance

Leave a comment

Design a site like this with WordPress.com
Get started