One-click Disaster Microsoft’s Entra Tokens at Risk

One-click Disaster: Microsoft’s Entra Tokens at Risk 🚨

A single click could grant third-party apps permanent access to corporate email accounts without a password, putting organizations at risk of attacks. Security researchers are calling attention to a growing threat vector targeting workplace identity systems, where attackers exploit OAuth application consent to gain long-term access to sensitive corporate resources.

The latest analysis from threat researchers at Red Canary outlined how an OAuth consent attack against Microsoft’s Entra ID could be used to grant an application access to a user’s email. Microsoft Entra (formerly Azure Active Directory) is a product family designed for identity and network access management for organizations, used by over 300,000 organizations and boasting over 610 million monthly active users.

The Threat Scenario 🔍

In an illustrative scenario laid out by Red Canary, a non-admin user within a Microsoft’s Entra ID tenant connected the legitimate ChatGPT app to their company’s Microsoft account system. While connecting ChatGPT, users approved several permissions, such as offline_access, profile, openid, and Mail.Read, allowing the app to read their emails. Researchers noted, “This ChatGPT application is indeed the legitimate OpenAI application that was investigated due to its use of one or more OAuth permissions that are frequently abused, in this case, Mail.Read.”

Security Concerns ⚠️

Giving an app permission to read email does not automatically indicate malicious intent, but the specific permission that allows email reading is often misused in phishing scams and account takeovers, raising significant security concerns. Open Authorization (OAuth) is widely used across cloud platforms to allow applications to access user data without storing passwords. Unlike passwords, OAuth tokens can remain valid for long periods, even after a user changes their password, creating a persistent risk.

If a malicious or unauthorized app is granted access to an organization’s network, it can persist undetected unless its permissions are specifically revoked. Threat actors are increasingly targeting OAuth tokens rather than passwords, and security researchers have been warning about this shift for several years.

Detection and Mitigation 🛡️

Detecting abused OAuth consent requires monitoring beyond traditional sign-in logs. Red Canary’s researchers outlined that defenders need to track when a non-admin user grants permissions to a third-party application, especially if that application requests sensitive permissions such as Mail.Read. Tracking when an application is first added and when the user consents to its permissions can help reveal suspicious activity.

Removing the OAuth permission grant and the associated service principal from the tenant cuts the unauthorized app off from accessing data. These actions can be performed via automation tools such as Microsoft Graph commands, restoring control to the organization’s security team.

Microsoft provides several options to mitigate this technique. By default, a user can consent to allow an app to access their mailbox but can’t consent to allow an app unfettered access to read and write to all files in the organization. Organizations can tighten their identity controls and reduce the attack surface by:

• Disabling user consent entirely, so only administrators can approve applications (though this option bears an administrative burden).
• Allowing consent only for verified publishers or pre-approved permissions, enabling users to approve low-risk applications while gating higher-risk permissions.
• Letting Microsoft manage consent settings and automatically update policies based on evolving guidance.

To read the complete article see: Read full article