Summary
This detection rule identifies instances where a user grants consent to an OAuth application requesting mail-related permissions within the Office 365 environment. By monitoring O365 audit logs, particularly focusing on application permissions and user consent activities, the rule aims to highlight potential security risks, including data exfiltration or spear phishing. The detection mechanism triggers on successful consent actions for applications that request permissions categorized under 'Mail', such as reading or sending emails. If a malicious application is granted such access by a user, it could lead to unauthorized data access, email forwarding, or distribution of malicious content from the compromised account. Thus, validating the legitimacy of the requesting application is critical to mitigate the risk of data breaches.
Categories
- Cloud
- Identity Management
- Application
Data Sources
- User Account
ATT&CK Techniques
- T1528
Created: 2024-11-14