Before Multi-Factor Authentication (MFA) existed, user credentials were cracked, stolen, intercepted, eavesdropped upon or phished. Valid user credentials could also be a part of leaked credentials sets as people re-use passwords everywhere, and we live in a world where our email addresses are the most user-friendly globally unique identifiers we have.
What an attacker does after just one person’s account and mailbox is accessed differs between attackers. Some attackers sell off their access, others wreak havoc, siphon off data or compromise email threads for financial gain. In most situations, attackers look for clever ways to persist in their victim’s infrastructure.
Microsoft helps organizations with recommendations, guidance, and tools like the Secure Score, but one area is still overlooked: application registrations. This method of compromise is fairly effective, which prompted Microsoft this week to warn organizations of this tactic.
In short, Microsoft’s Threat Intelligence division observes attacks where after initial access, the credentials are used to consent to permissions for nefarious applications. These applications then deploy virtual machines for cryptocurrency mining, compromising business email and launching spam campaigns using their victim’s resources and domain names.
These applications are programmed multi-tenant applications. They typically live in the Entra ID tenant of the attacker. When consented to, these applications create a copy of the application registration in the attacker’s tenant and in the victim’s tenant. From there, attackers can perform any action that the application registration is consented to. Permissions like mail.readwrite, mail.send can then be used to communicate as the victim. Permissions like people.read can be used by attackers to potentially gain the privileges of more privileged accounts.
Microsoft also provided an important metric with their warning: when Microsoft detected the attack pattern, the group labeled as Storm-1283 already had their malicious applications deployed to 17,000 Entra tenants…
Microsoft provides advice on how to combat this tactic:
As a 15-time Microsoft Most Valuable Professional (MVP) in Directory Services, Enterprise Mobility, Security and Windows and Devices, I have an additional piece of advice and this can be performed by any identity admin, regardless of their Entra ID tenant’s licenses.
All tenants that are being compromised have one thing in common: they all use default consent settings, that allow users and group owners to consent to any app.
I highly encourage identity admins to implement these changes, but I also feel Microsoft omitted one big change that strikes the attackers where it hurts most.
My advice is to change this setting from its default Allow user consent for apps (older tenants) or Allow user consent for apps from verified publishers for selected permissions (Recommended) to Do now allow user consent. This way, compromised user accounts without privileged roles are unable to consent to any app, including malicious apps.
I agree it is a tough decision to make, but the two settings other than Do not allow user consent allow for user access that in the past has already led to compromise.
Follow these steps to change the user consent setting:
Figure 1: The User consent settings pane
To root out group owner permissions to consent to apps accessing data, the Do now allow group owner consent is the best choice in terms of security.
Follow these steps to change the group owner consent setting:
Obviously, end-users in your organization could be severely impacted when trying to access legitimate apps but are unable to consent to them. Therefore, the admin consent workflow can be enabled.
Follow these steps to enable the admin consent workflow:
Figure 2: The Admin consent settings pane
Application Governance is an area that is still unfamiliar to many identity admins. Yet, applications and their application registrations hold the keys to the proverbial kingdom.
Together with ENow Software, I have spent the last year developing a free web-based solution: ENow’s App Governance Score identifies your tenant settings in terms of applications and provides guidance on remediating any app-related problems in your Entra tenant.
Does your Entra ID tenant follow Microsoft-recommended security practices? Sign up to get your score and assessment report in just a few minutes - get your AppGov Score now!