Threat Research

Microsoft Entra ID OAuth Phishing and Detections

Elastic.co
Microsoft Entra ID OAuth Phishing and Detections

Elastic’s TRADE team analyzed OAuth phishing attacks targeting Microsoft Entra ID, inspired by Volexity’s findings on UTA0352 threat actor exploiting OAuth workflows to access Microsoft 365 resources. Their research includes hands-on emulation of attacks, revealing token abuse mechanics, device registration, and detection strategies to mitigate such identity-based threats. #UTA0352 #MicrosoftEntraID #ROADtools

Keypoints

  • Threat actors exploit Microsoft Entra ID OAuth workflows using legitimate first-party apps like VSCode and Microsoft Auth Broker to bypass defenses and access Microsoft 365 data.
  • OAuth phishing URLs manipulate parameters such as client_id, scope, redirect_uri, and login_hint to harvest tokens and impersonate users.
  • Elastic recreated attack scenarios in a controlled environment, using custom Python scripts and ROADtools to emulate token harvesting, device registration, and PRT acquisition.
  • Primary Refresh Tokens (PRTs) are leveraged for persistent access, enabling adversaries to bypass MFA and Conditional Access Policies by registering devices stealthily.
  • Detection strategies focus on behavioral signals in Microsoft Entra ID sign-in logs, Graph API activity, and audit logs correlating token misuse, suspicious OAuth flows, and device registration events.
  • High-fidelity detection rules involve correlating session reuse across IPs, unusual concurrent sign-ins, suspicious ADRS token requests, and PRT usage patterns.
  • Client application IDs, OAuth grant types, device metadata, and consent behavior provide critical telemetry for hunting and identifying abuse in Microsoft Entra ID environments.

MITRE Techniques

  • [T1078] Valid Accounts – Adversaries use stolen authorization codes and refresh tokens to impersonate users, gaining delegated access to Microsoft 365 services. (‘attackers abused trusted first-party Microsoft applications to bypass traditional defenses… harvested security tokens’)
  • [T1550.001] Use of Valid Accounts: OAuth Tokens – Tokens acquired through OAuth phishing URLs are reused to access APIs and services without further user interaction. (‘the attacker uses the authorization code to obtain a refresh token and access token, enabling Graph API calls’)
  • [T1136] Create Account – Adversaries register virtual devices in Entra ID using ROADtools to gain persistent Primary Refresh Tokens, effectively creating trusted device identity. (‘simulate a valid hybrid-joined device in the Microsoft ecosystem… issued a valid device ID, PEM-encoded certificate, and private key’)
  • [T1110] Brute Force – Phishing for authorization codes as a method to obtain tokens by tricking users into consenting, effectively abusing user credentials and sessions. (‘phishing for consent to establish device trust and mint a PRT’)
  • [T1190] Exploit Public-Facing Application – OAuth phishing URLs mimic legitimate client applications and endpoints to trick users into authorizing malicious applications. (‘crafted customized Microsoft authentication URLs…using legitimate OAuth flows’)

Indicators of Compromise

  • [OAuth Phishing URLs] Malicious authorization URLs targeting Microsoft Entra ID OAuth endpoints – example: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=aebc6443-996d-45c2-90f0-388ff96faa56&scope=https://graph.microsoft.com/.default&response_type=code&redirect_uri=https://insiders.vscode.dev/redirect
  • [Client IDs] Legitimate Microsoft first-party apps abused by attackers – VSCode app ID (aebc6443-996d-45c2-90f0-388ff96faa56), Microsoft Authentication Broker app ID (29d9ed98-a469-4536-ade2-f981bc1d605e)
  • [Resource IDs] Target resources in OAuth flows – Microsoft Graph resource ID (00000003-0000-0000-c000-000000000000), Device Registration Service resource ID (01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9)
  • [Endpoint URLs] Token endpoints and redirect URIs used in phishing and token exchange – https://login.microsoftonline.com/[tenant_id]/oauth2/v2.0/token, https://login.microsoftonline.com/WebApp/CloudDomainJoin/8
  • [Device Metadata] Newly registered device ID and OS version indicating suspicious device registration – devices with OS version 10.0.19041.928 and correlation IDs shared across audit logs

Read more: https://www.elastic.co/security-labs/entra-id-oauth-phishing-detection

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint