The M365 Attack Chain Is Not What You Think

Opening – The Lie of Perimeter Defense Officers, you’re briefed into a different war. Firewalls guard borders, but modern attacks don’t cross borders—they hijack identity. MFA looks like a shield, but stolen tokens and consented apps glide past it like cloaked ships. In this episode, we map an end-to-end Microsoft 365 breach:

• Starting in the attacker’s cockpit
• Following consent phishing, AiTM token theft, and OAuth abuse
• Ending with concrete detections (KQL, Sentinel) and Entra policies you can deploy today

There is one policy that breaks this chain. Stay sharp. Segment 1 – Threat Intel Brief: What Modern Crews Actually Do We begin with the current threat picture:

• Phishing-as-a-Service & AiTM kits: turnkey infrastructure to steal credentials and session cookies together.
• Malicious multi-tenant OAuth apps: used as roaming “gunships” across tenants, abusing legitimate Microsoft identity flows.
• Goal set:
  • Take the mailbox
  • Siphon SharePoint / OneDrive
  • Persist via app consent, refresh tokens, and mail rules

Why traditional defenses fail:

• MFA stops passwords—not replayable sessions.
• Admin portals don’t highlight OAuth sprawl or service principals by default.
• Telemetry exists, but detection rules and UEBA are often missing or under-tuned.

Telemetry that actually matters:

• Entra ID / Azure AD
  • “Consent to application”
  • “ServicePrincipal created”
  • “AppRoleAssignedTo”
  • Sign-in logs with “Authentication requirements satisfied” (including cookie replay patterns)
• Exchange / MailboxAudit
  • New inbox rules, hidden rules, external forwarding
• SharePoint / Unified Audit Log
  • FileAccessed / FileDownloaded with AppId stamps
• App registrations & service principals
  • New credentials, updated permissions, scope creep

Key doctrine:

• Don’t just guard logins—bind tokens and govern consent.
• Use Token Protection and risk-based Conditional Access to make stolen cookies worthless and cut risky sessions mid-flight.

Segment 2 – Initial Access: Consent Phishing + Token Theft Here’s how the breach starts:

• User hits an AiTM phishing page (invoice, payroll, SharePoint link).
• Reverse proxy relays real Microsoft login → MFA succeeds → session cookie is captured.
• In the same flow, a benign-looking multi-tenant OAuth app asks for consent:
  • Scopes like User.Read, Mail.Read, offline_access
• The user approves.
• Attacker now holds:
  • A stolen cookie (for replay)
  • A sanctioned service principal (for long-term Graph access)

Key telemetry & detections:

• Entra Audit:
  • “Consent to application” → “ServicePrincipal created” → “AppRoleAssignedTo”
• Entra Sign-in logs:
  • “Authentication requirements satisfied” from a new device / country minutes after the real login
• Exchange MailboxAudit:
  • Inbox rules or forwarding after consent (to blind the user)
• Unified Audit / SharePoint:
  • FileAccessed / FileDownloaded showing an AppId instead of Outlook/browser

Detection ideas:

• Sentinel analytics for consent events by high-value users or unfamiliar IPs
• Watchlists of sanctioned AppIds; anything else is priority
• UEBA for impossible travel and sudden session switching that screams hijack
• Alerts on new service principals with scopes like Mail.ReadWrite, Files.Read.All, Sites.Read.All, offline_access

Quick wins:

• Disable user consent tenant-wide or limit to low-risk scopes + verified publishers.
• Enable admin consent workflow for everything else.
• Turn on Token Protection for Exchange/SharePoint where supported.
• Use Conditional Access (sign-in risk, compliant device, workload-specific controls) to block risky replay.

Segment 3 – Persistence: Living Off the Land with OAuth & Mail Rules Once inside, attackers shift from sprint to residency:

• offline_access + refresh tokens = long-lived Graph access without the user.
• Hidden inbox rules hide security emails and alerts.
• A second, more “normal” app may be deployed as a backup persistence mechanism.
• Scopes quietly upgrade over time from Mail.Read → Mail.ReadWrite, Sites.Read.All → Files.Read.All.

Telemetry & detections:

• Entra Audit:
  • Update application, Add passwordCredential, Add keyCredential on service principals
• AppRoleAssignedTo:
  • Scope creep to high-value permissions
• Exchange MailboxAudit / Admin logs:
  • New inbox rules, external forwarding, mailbox configuration changes
• Sentinel:
  • Analytics for external forwarding rules
  • UEBA for Graph call volume spikes from a single AppId

Remediation doctrine:

• Revoke app consent and delete OAuth2PermissionGrants for malicious apps.
• Disable or delete service principals; rotate secrets for legitimate apps that may be impacted.
• Force sign-outs, revoke refresh tokens, and require re-auth for affected identities.
• Implement Conditional Access session controls and Token Protection so replay dies at the gate.

Segment 4 – Lateral Movement: From Mailbox to SharePoint to Keys With persistence established, attackers move laterally:

• Use mailbox intel to find:
  • Project code names
  • SharePoint site URLs
  • Vendors and payment flows
• Use Graph with Sites.Read.All / Files.Read.All to enumerate and harvest high-value content.
• Use directory read scopes to map admins, groups, app roles, and further targets.
• Launch BEC-style attacks using real threads and context.

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast–6704921/support.

Follow us on:
LInkedIn
Substack