Agent Foskett Investigation • Microsoft 365 • OAuth Consent
The OAuth App Asked For Permission
The sign-in looked legitimate.
MFA succeeded.
Then the user clicked Accept.
In this Agent Foskett investigation, we examine how OAuth consent abuse can provide access to Microsoft 365 data without stealing a password.
Investigation focus
Learn how OAuth consent abuse can grant application access to Microsoft 365 data even when MFA appears to work correctly.
OAuth consent prompts
Service principal review
Microsoft 365 app access
The suspicious detail
The alert did not begin with a failed sign-in. It began with a consent prompt.
A user approved an application that requested access to Microsoft 365 data. The request looked routine, but the application was not part of the organisation's normal software stack.
OAuth consent abuse is dangerous because it can survive password resets, avoid traditional phishing patterns and create persistent access through an app registration or service principal.
A user approved an application that requested access to Microsoft 365 data. The request looked routine, but the application was not part of the organisation's normal software stack.
OAuth consent abuse is dangerous because it can survive password resets, avoid traditional phishing patterns and create persistent access through an app registration or service principal.
The prompt looked normal
The user saw a familiar Microsoft sign-in and permission request, not a strange executable or obvious malware warning.
The app gained access
Depending on the permissions granted, the app may be able to read mail, files, contacts or user profile information.
Password resets may not fix it
If app consent remains in place, changing the user's password may not remove the granted application access.
First hunt: find consent-related activity
Start by looking for application consent, permission grant and app-related events in Microsoft 365 activity data.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
CloudAppEvents | where Timestamp > ago(30d) | where ActionType has_any ("Consent", "Grant", "Application", "OAuth") | project Timestamp, AccountDisplayName, ActionType, Application, IPAddress, RawEventData | order by Timestamp desc
Plain-English translation:
Show me recent Microsoft 365 activity where users or administrators may have granted application permissions.
Show me recent Microsoft 365 activity where users or administrators may have granted application permissions.
What Agent Foskett checks next
Consent activity only tells you that something was approved. The next step is to work out whether the application belongs in the environment.
Who approved it?Identify the user or administrator who accepted the permission request and whether that behaviour is normal for their role.
What did the app request?Review requested permissions such as mail, files, contacts, offline access, directory read or user profile access.
Does the app belong?Check whether the application is known, approved, published by a trusted vendor and expected in the tenant.
Second hunt: review service principal activity
When an application is approved in Entra ID, the tenant may contain a service principal that represents that app. Reviewing service principal creation and updates can reveal suspicious app access paths.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
AuditLogs | where TimeGenerated > ago(30d) | where OperationName has_any ("Add service principal", "Update service principal", "Consent to application") | project TimeGenerated, OperationName, InitiatedBy, TargetResources, Result | order by TimeGenerated desc
Third hunt: look for application access patterns
After identifying a suspicious app, review how often applications are being used and whether any app activity stands out from normal tenant behaviour.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
CloudAppEvents | where Timestamp > ago(30d) | where isnotempty(Application) | summarize EventCount = count(), Users = dcount(AccountDisplayName) by Application | order by EventCount desc
The investigation lesson
OAuth consent abuse is not always loud. It may not begin with malware, failed MFA or a suspicious executable.
Sometimes the compromise begins with a legitimate-looking prompt and a user who clicks Accept. The attacker does not need to steal the password if the application has already been granted permission to access the data.
Sometimes the compromise begins with a legitimate-looking prompt and a user who clicks Accept. The attacker does not need to steal the password if the application has already been granted permission to access the data.
Consent is accessApproving an app can grant access to sensitive Microsoft 365 data depending on the permission scope.
MFA is not the endMFA can protect sign-in, but it does not automatically stop a user approving a malicious or unnecessary app.
Review the app layerDefenders should review enterprise applications, service principals and granted permissions regularly.
Common mistakes
Only resetting the passwordPassword resets may not remove previously granted app permissions or service principal access.
Trusting the Microsoft promptA real Microsoft consent screen can still be used in a malicious workflow if the requested app is untrusted.
Ignoring low-volume appsA suspicious app may not generate high volume. Sometimes a small number of events is enough to matter.
Related Agent Foskett investigations and KQL guides
The User Clicked Accept And Gave Away The Entire Mailbox
Review a related investigation where a simple consent action exposed mailbox access.
The MFA Prompt Looked Normal
Learn why a normal-looking authentication prompt can still be part of an attack path.
Continue with The User Passed MFA But It Wasn't Really Them, The Session Token Never Expired, The Conditional Access Policy Was In Report-Only Mode, KQL Threat Hunting Guide, Agent Foskett Academy, Microsoft Security and the GEMXIT Security Review.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD