Cyberdudebivash

The “Fake Teams” Azure Flaw — How to Hunt for Malicious OAuth Apps & Stolen Session Tokens in Entra ID

CYBERDUDEBIVASH

The “Fake Teams” Azure FlawHow to Hunt for Malicious OAuth Apps & Stolen Session Tokens in Entra ID

By CyberDudeBivash · M365 IR, Identity & Cloud Defense · Apps & Services · Playbooks · ThreatWire · Crypto Security

CyberDudeBivash®

TL;DR

  • Attackers impersonate trusted apps (e.g., “Microsoft Teams”) to harvest OAuth consent or pivot via stolen session tokens—bypassing email gateways and MFA.
  • This guide is defense-only: 90-minute triage, ready-to-use KQL huntsGUI checklists, safe PowerShell/Graph concepts to export evidence, and a 7-day hardening plan.
  • Measure outcomes: detection lead timeMTTR to revoke tokensconsent governance SLA, and Conditional Access efficacy.

Edureka
SOC/M365 IR, KQL & Defender training—team-ready.Alibaba Cloud
Backups & DR for mailbox/file recovery.Kaspersky
Reduce initial footholds that lead to token theft.AliExpress
IR lab gear: security keys, SSDs, cables, analyzers.

Disclosure: We may earn commissions from partner links. Handpicked by CyberDudeBivash.Table of Contents

  1. Threat Model: “Fake Teams” & Identity-Centric Abuse
  2. 90-Minute QuickCheck: Blast Radius Signals
  3. KQL Hunt Pack (Defensive)
  4. GUI Checklist: Entra ID, Exchange, SharePoint/OneDrive, Teams
  5. PowerShell/Graph Concepts (Read-Only Evidence)
  6. Containment & Token/App Revocation
  7. 7-Day Hardening Plan
  8. FAQ

Threat Model: “Fake Teams” & Identity-Centric Abuse

  • Impersonated app: Look-alike “Teams/Office/SharePoint” app with familiar icon/name, requesting risky scopes (e.g., Mail.ReadFiles.ReadWrite.Alloffline_access).
  • Consent bypass: End-user consent enabled or lax admin-consent review leads to silent data access.
  • Session replay: Valid refresh/session tokens are replayed from odd geos/devices; mailbox/file access spikes follow.
  • Quiet exfil: SaaS APIs (Graph/SharePoint/OneDrive) used for staged collection and export.

This guide avoids exploit content and focuses strictly on detection, response, and hardening.

90-Minute QuickCheck: Blast Radius Signals

  1. Enterprise Apps sweep: Filter by Unverified publisher; sort by Added on; note consentors and risky scopes.
  2. Consent timeline: List “Consent to application” events ±24h of first seen; look for clustered approvals.
  3. Sign-in deltas: New device/ASN for target users/SPNs; multiple countries in 24–48h.
  4. Data access spikes: MailItemsAccessed; SharePoint/OneDrive download bursts; new external links.
  5. Mailbox hygiene: New forwarding/hidden rules; delegates; transport rules triggered near consent.

KQL Hunt Pack (Defensive)

1) Risky OAuth Consents (24h)

AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has "Consent to application"
| extend App=tostring(TargetResources[0].displayName),
        Scopes=tostring(TargetResources[0].modifiedProperties[?].newValue),
        Actor=tostring(InitiatedBy.user.userPrincipalName)
| where Scopes has_any ("Mail.Read","Files.Read.All","Files.ReadWrite.All","Sites.Read.All","offline_access","User.Read.All")
| summarize Consents=count(), Actors=make_set(Actor) by App, Scopes

2) Service Principal Sign-ins from Rare ASNs

SigninLogs
| where TimeGenerated > ago(48h) and ResultType == 0 and ServicePrincipalId != ""
| summarize ASNs=dcount(NetworkLocationDetails.asn), Geo=dcount(LocationDetails.countryOrRegion)
          by AppId=ServicePrincipalId, AppName=tostring(AppDisplayName)
| where ASNs > 1 or Geo > 1

3) Hijacked User Sessions (Geo/ASN Drift)

SigninLogs
| where TimeGenerated > ago(48h) and ResultType == 0
| summarize Geos=dcount(LocationDetails.countryOrRegion), ASNs=dcount(NetworkLocationDetails.asn)
          by UPN=UserPrincipalName
| where Geos > 1 or ASNs > 1

4) MailItemsAccessed Surge After Consent

let ConsentWindow = AuditLogs
  | where TimeGenerated > ago(48h) and OperationName has "Consent to application"
  | project Consenter=tostring(InitiatedBy.user.userPrincipalName), ConsentTime=TimeGenerated;
OfficeActivity
| where TimeGenerated > ago(48h) and Operation =~ "MailItemsAccessed"
| join kind=inner ConsentWindow on $left.UserId == $right.Consenter
| summarize Accesses=count(), FirstAccess=min(TimeGenerated), LastAccess=max(TimeGenerated) by UserId
| where Accesses > 200

5) New Inbox Rules / Forwarding (7d)

OfficeActivity
| where TimeGenerated > ago(7d)
| where Operation has_any ("New-InboxRule","Set-InboxRule","Set-Mailbox","UpdateInboxRules")
| summarize Rules=count(), sample=any(Parameters) by UserId
| where Rules > 0

6) SharePoint/OneDrive Download Bursts

OfficeActivity
| where TimeGenerated > ago(24h) and Workload in ("SharePoint","OneDrive")
| where Operation has_any ("FileDownloaded","FileAccessed")
| summarize Downloads=count() by UserId, bin(TimeGenerated, 30m)
| where Downloads > 300

GUI Checklist: Entra ID, Exchange, SharePoint/OneDrive, Teams

Entra ID → Enterprise Applications

  • Filter Unverified publisher & recently added; inspect scopes; identify/business-owner; block sign-ins for unknown apps.
  • Check Users and groups & Sign-in logs for the app; note geos/devices.

Entra ID → Audit & Sign-in Logs

  • Export “Consent to application” events; correlate with MailItemsAccessed, SPN sign-ins, and CA decisions.

Exchange Admin Center

  • Review forwarding/hidden rules, delegates, transport rules; remove unknown rules immediately after evidence capture.

SharePoint/OneDrive & Teams

  • Check recent external sharing links, download spikes, chat export access, or meeting recording pulls from rare geos.

PowerShell/Graph Concepts (Read-Only Evidence)

Operate from a jump box; use read-only scopes to export evidence (no tenant changes here).

# Connect-MgGraph -Scopes "Application.Read.All,Directory.Read.All,AuditLog.Read.All"
# List service principals for review (concept)
# Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/servicePrincipals?$select=id,appId,displayName,verifiedPublisher,signInAudience&$top=999"
# Export results to CSV; correlate with AuditLogs and SigninLogs in Sentinel.
  
# Sample: pull recent consent events (concept)
# Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=activityDisplayName eq 'Consent to application' and activityDateTime ge "

Containment & Token/App Revocation

  1. Sessions: Force sign-out & revoke refresh tokens for impacted users; require password reset & re-register strong auth as policy requires.
  2. Apps: Remove user consents; block sign-ins; delete malicious Enterprise Apps after evidence export.
  3. Conditional Access (temporary hardening): Block unverified publishers; require compliant/hybrid-joined devices for risky scopes and service-principal sign-ins.
  4. Mailbox/SharePoint hygiene: Remove forwarding/hidden rules; reset delegates; review external links.
  5. Evidence: Preserve exports, timelines, and revocation receipts in a write-once vault with hashes.

Secure remote IR with TurboVPN (teams) →

7-Day Hardening Plan

Day 0–1

  • Disable end-user consent; enable Admin-consent workflow with SLA and reviewers.
  • Conditional Access: require compliant device for high-risk scopes; block unverified publishers; evaluate sign-in risk.

Day 2–4

  • Inventory apps; assign owners; rotate app secrets/certs; delete unused registrations.
  • SIEM alerts: consent events, MailItemsAccessed spikes, rare ASN SPN sign-ins, new inbox rules.

Day 5–7

  • Monthly permissions attestation; auto-expire stale consents; quarterly tabletop (“Consent → Token Replay”).
  • Educate staff: how legit Microsoft prompts look; how admin-consent requests flow internally.

The Hindu (Pro) — policy & risk intelYES Education — SOC/M365 IR upskillingVPN hidemy.name — secure IR travelTata Neu — cards & perks for SaaS

Need Expert Help? Engage CyberDudeBivash M365 IR & App Governance

  • Admin-consent workflow & app governance rollout
  • SIEM/KQL detections & SOAR playbooks
  • Emergency session hijack response (Exchange/SharePoint/Teams)
  • Board reporting & tabletop workshops

Explore Apps & Services  |  cyberdudebivash.com · cyberbivash.blogspot.com · cyberdudebivash-news.blogspot.com · cryptobivash.code.blog

Next Reads from CyberDudeBivash

FAQ

Does this article disclose an exploit?

No. It’s defense-only: how to detect, contain, and harden against app impersonation and token replay in Entra ID.

We use an email gateway—are we safe?

Email filters help, but consent phishing & token replay are identity problems. You need app governance and session hygiene.

What’s the fastest win?

Disable end-user consent, enable admin-consent workflow, block unverified publishers with Conditional Access, and deploy the KQL hunts above.

Can we run these hunts in production?

Yes—after testing. They query audit/sign-in/data-access logs and are designed for monitored environments.

CyberDudeBivash — Global Cybersecurity Brand · cyberdudebivash.com · cyberbivash.blogspot.com · cyberdudebivash-news.blogspot.com · cryptobivash.code.blog

Author: CyberDudeBivash · Powered by CyberDudeBivash · © All Rights Reserved.

 #CyberDudeBivash #EntraID #OAuth #ConsentPhishing #Teams #M365 #KQL #IncidentResponse #ConditionalAccess #AppGovernance

Leave a comment

Design a site like this with WordPress.com
Get started