Azure AD Suspicious OAuth Application
Detection overview
Triggers
- A third-party cloud application has requested excessive or risky access, which may allow malicious activities to be performed on behalf of the granter of the permission.
Possible Root Causes
- An attacker is trying to trick the user into delegating permissions to them which will enable further malicious activities.
- A new legitimate 3rd party application is installed in the organization which requires elevated permissions from users.
Business Impact
- Malicious applications are able to perform actions with delegated permissions without a user’s knowledge and may be difficult to detect.
- Depending on the delegated privileges involved, the impact may range from single account takeover to full subscription compromise.
Steps to Verify
- Validate that this is an authorized application which has been vetted for risk by the security team.
Azure AD Suspicious OAuth Application
Possible root causes
Malicious Detection
Benign Detection
Azure AD Suspicious OAuth Application
Example scenarios
Azure AD Suspicious OAuth Application
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD Suspicious OAuth Application
Steps to investigate
Azure AD Suspicious OAuth Application
MITRE ATT&CK techniques covered
Azure AD Suspicious OAuth Application
Related detections
No items found.