O365 Suspicious Teams Application

View all detections
O365 Suspicious Teams Application

Triggers

  • A rarely used, third-party Microsoft Teams integrated application has been granted excessive or risky permissions that may enable malicious activities to be taken on behalf of the authorizing user
  • The threat score is statically assigned.
  • The certainty score is statically assigned.

Possible Root Causes

  • An attacker is trying to trick the user into authorizing a third-party app that will allow the the attacker to execute malicious actions.
  • In some cases rare, legitimate applications do require a set of permissions that are authorized despite the risk they present.

Business Impact

  • Malicious third-party apps can be used to undermine existing security controls, such as multi-factor authentication (MFA), and enable malicious action on behalf of the authorizing user, increasing risk to enterprise system and data and increasing the likelihood of further attack progression.
  • A suspicious teams application could result in outcomes ranging from the compromise of an individual account or host, to broader compromise of a full teams channel.
  • Malicious apps may enable a foothold into the environment as a means of maintaining persistent access.
  • Malicious apps could may allow the collection of sensitive information or act as a mechanism to support data exfiltration.

Steps to Verify

  • Verify that the application in question is authorized for the associated user.
  • Validate that the required permission set is appropriate for the authorized business process associated with this application.
  • Investigate for additional malicious indicators associated with this application or user.