Announcing Enhanced Malicious OAuth Activity Detection Capabilities in App Governance

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

App governance is a security and policy management capability that customers can use to monitor and govern app behaviors and quickly identify, alert, and protect from risky app behaviors. App governance is designed for OAuth-enabled apps that access Microsoft 365 data via Microsoft Graph APIs.  

 

App governance provides you with:

  • Deep visibility & insights: Get deeper visibility into apps that access Microsoft 365 data and actionable insights on how the app is configured and behaving in the environment.
  • Policy-driven governance: Proactively define and enforce policies based on application metadata, permissions, and behaviors in accordance with your organization’s security and compliance posture for data access.
  • Comprehensive detection and remediation: Detect anomalous app behavior with machine-learning models, address issues with automated and manual remediation actions

 

 

Risks in the App Ecosystem

With the increase in popularity of global cloud platforms, the number of cloud applications developed by Service Providers, Independent Service Vendors (ISVs), and Citizen developers have been on a steep incline. This growth has, in turn, attracted malicious actors seeking to exploit the platform and its users to gain access to valuable data and resources resulting in an uptick of security incidents involving apps, both in terms of frequency and impact.

 

These incidents span a wide range, including malicious apps engaging in OAuth consent phishing, as well as apps in good standing that are vulnerable to being exploited by bad actors. With hundreds to thousands of apps in an organization capable of accessing data, administrators find it even more challenging to audit the apps running in their environment and to ensure they are protected from malicious or non-compliant apps.

 

Third-Party OAuth apps can be used for several malicious activities through Graph API, including:

  • Targeting user’s outlook to read emails
  • Collecting sensitive email information
  • Creating outlook inbox rules to obtain persistence on a compromised email account and set action to forward emails to external accounts. This technique is used by adversaries to keep access to compromised email account even post system boot.
  • Setting actions in Outlook inbox rules to forward emails to internal accounts for internal phishing to gain access to additional information
  • Exploiting other users within the same organization after they already have access to accounts or systems within the environment
  • Searching for SharePoint or One Drive resources to mine valuable information.

 

 

Detection of anomalous third-party app Graph API with app governance

App governance has enhanced its existing detection of third-party apps based on anomalous Graph API anomalous third-party app Graph API activities with the introduction of three new detections – email read, email search, and OneDrive or SharePoint Search activities.

 

Detection of third-party apps based on anomalous Graph API call to read emails:

Alert Name: App with Suspicious OAuth scope made graph calls to read email and create Inbox Rule

Graph API activities included in this detection:

  • App request for High Privilege scopes(s) and other suspicious scopes at consent time
  • Created Outlook inbox rule
  • Anomalous Graph API calls to read emails in Microsoft Exchange Workload 

 

Detection of third-party apps based on anomalous Graph API call to search email:

Alert Name: App creates inbox rule and made unusual email searches activities

Graph API activities included in this detection:

  • App request for High Privilege scopes(s) at consent time
  • Created Outlook inbox rule
  • Anomalous Graph API calls to search Microsoft Exchange Workload  

 

Detection of third-party apps based on anomalous Graph API call to OneDrive or SharePoint:

Alert Name: App made OneDrive / SharePoint search activities and created inbox rule

Graph API activities included in this detection:

  • App request for High Privilege scopes(s) at consent time
  • Created Outlook inbox rule
  • Anomalous Graph API search of Microsoft OneDrive Workload or Microsoft SharePoint Workload

 

Deep visibility and insights  

App governance is cloud-based and native to the Microsoft 365 platform, so there’s no need to deploy additional infrastructure or services. This provides a simplified onboarding and management experience that can be quickly deployed in customer environments.

 

App governance provides a deep and intuitive dashboard experience that is familiar to administrators. The tenant summary view provides:

  • A high-level summary of the third-party and Line of Business apps in your Microsoft 365 tenant.
  • Alerts based on the violation of any pre-configured policy and/or detection of any anomalous app behavior.
  • Quick insights into apps that do not use one or more permissions they have been granted (Over permissioned).
  • Apps that have powerful permissions that allow data access or a key setting in the tenant (High privileged).
  • Apps that do not have a verified publisher (Unverified).

 

Get Started

App governance is an add-on feature for Microsoft Cloud App Security and is initially available as a public preview to existing Microsoft Cloud App Security customers in certain regions of North America and Europe with other regions being added gradually the next few months.

 

Additional resources

App governance is part of a broad and comprehensive set of capabilities to protect your environment from cloud app-related threats.

  • To learn more about Azure Active Directory, Microsoft Cloud App Security, and app governance add-on integration visit our documentation
  • For managing user consent and app permissions in Azure AD see these documents.
  • For the latest on Microsoft Cloud App Security see this blog and explainer animations.
  • To explore Microsoft Graph API check out the developer blog and changelog.

 

Thank you,

Microsoft 365 Team

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.