{
	"id": "4b1de723-c889-4785-8d99-b1be15daae33",
	"created_at": "2026-04-06T00:19:15.235357Z",
	"updated_at": "2026-04-10T13:12:34.028923Z",
	"deleted_at": null,
	"sha1_hash": "fa8ad1c038dac521a1b267ae007329e21bdf9a76",
	"title": "Threat actors misuse OAuth applications to automate financially driven attacks | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 849674,
	"plain_text": "Threat actors misuse OAuth applications to automate financially\r\ndriven attacks | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-12-12 · Archived: 2026-04-02 10:43:24 UTC\r\nThreat actors are misusing OAuth applications as an automation tool in financially motivated attacks. OAuth is an\r\nopen standard for token-based authentication and authorization that enables applications to get access to data and\r\nresources based on permissions set by a user. Threat actors compromise user accounts to create, modify, and grant\r\nhigh privileges to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also\r\nenables threat actors to maintain access to applications even if they lose access to the initially compromised\r\naccount.\r\nIn attacks observed by Microsoft Threat Intelligence, threat actors launched phishing or password spraying attacks\r\nto compromise user accounts that did not have strong authentication mechanisms and had permissions to create or\r\nmodify OAuth applications. The threat actors misused the OAuth applications with high privilege permissions to\r\ndeploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email\r\ncompromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name.\r\nMicrosoft continuously tracks attacks that misuse of OAuth applications for a wide range of malicious activity.\r\nThis visibility enhances the detection of malicious OAuth applications via Microsoft Defender for Cloud Apps and\r\nprevents compromised user accounts from accessing resources via Microsoft Defender XDR and Microsoft Entra\r\nIdentity Protection. In this blog post, we present cases where threat actors compromised user accounts and\r\nmisused OAuth applications for their financially driven attacks, outline recommendations for organizations to\r\nmitigate such attacks, and provide detailed information on how Microsoft detects related activity:\r\nOAuth applications to deploy VMs for cryptomining\r\nOAuth applications for BEC and phishing\r\nOAuth applications for spamming activity\r\nMitigation steps\r\nDetections for related techniques\r\nHunting guidance\r\nOAuth applications to deploy VMs for cryptomining\r\nMicrosoft observed the threat actor tracked as Storm-1283 using a compromised user account to create an OAuth\r\napplication and deploy VMs for cryptomining. The compromised account allowed Storm-1283 to sign in via\r\nvirtual private network (VPN), create a new single-tenant OAuth application in Microsoft Entra ID named\r\nsimilarly as the Microsoft Entra ID tenant domain name, and add a set of secrets to the application. As the\r\ncompromised account had an ownership role on an Azure subscription, the actor also granted ‘Contributor’ role\r\npermission for the application to one of the active subscriptions using the compromised account.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 1 of 20\n\nThe actor also leveraged existing line-of-business (LOB) OAuth applications that the compromised user account\r\nhad access to in the tenant by adding an additional set of credentials to those applications. The actor initially\r\ndeployed a small set of VMs in the same compromised subscriptions using one of the existing applications and\r\ninitiated the cryptomining activity. The actor then later returned to deploy more VMs using the new\r\napplication. Targeted organizations incurred compute fees ranging from 10,000 to 1.5 million USD from the\r\nattacks, depending on the actor’s activity and duration of the attack.\r\nStorm-1283 looked to maintain the setup as long as possible to increase the chance of successful cryptomining\r\nactivity. We assess that, for this reason, the actor used the naming convention\r\n[DOMAINNAME]_[ZONENAME]_[1-9] (the tenant name followed by the region name) for the VMs to avoid\r\nsuspicion.  \r\nFigure 1. OAuth application for cryptocurrency mining attack chain\r\nOne of the ways to recognize the behavior of this actor is to monitor VM creation in Azure Resource Manager\r\naudit logs and look for the activity “Microsoft.Compute/virtualMachines/write” performed by an OAuth\r\napplication. While the naming convention used by the actor may change in time, it may still include the domain\r\nname or region names like “east|west|south|north|central|japan|france|australia|canada|korea|uk|poland|brazil”\r\nMicrosoft Threat Intelligence analysts were able to detect the threat actor’s actions and worked with the Microsoft\r\nEntra team to block the OAuth applications that were part of this attack. Affected organizations were also\r\ninformed of the activity and recommended further actions.\r\nOAuth applications for BEC and phishing\r\nIn another attack observed by Microsoft, a threat actor compromised user accounts and created OAuth\r\napplications to maintain persistence and to launch email phishing activity. The threat actor used an adversary-in-the-middle (AiTM) phishing kit to send a significant number of emails with varying subject lines and URLs to\r\ntarget user accounts in multiple organizations. In AiTM attacks, threat actors attempt to steal session tokens from\r\ntheir targets by sending phishing emails with a malicious URL that leads to a proxy server that facilitates a\r\ngenuine authentication process.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 2 of 20\n\nFigure 2. Snippet of sample phishing email sent by the threat actor\r\nWe observed the following email subjects used in the phishing emails:\r\n\u003cUsername\u003e shared “\u003cUsername\u003e contracts” with you.\r\n\u003cUsername\u003e shared “\u003cUser domain\u003e” with you.\r\nOneDrive: You have received a new document today\r\n\u003cUsername\u003e Mailbox password expiry\r\nMailbox password expiry\r\n\u003cUsername\u003e You have Encrypted message\r\nEncrypted message received\r\nAfter the targets clicked the malicious URL in the email, they were redirected to the Microsoft sign-in page that\r\nwas proxied by the threat actor’s proxy server. The proxy server set up by the threat actor allowed them to steal\r\nthe token from the user’s session cookie. Later, the stolen token was leveraged to perform session cookie replay\r\nactivity. Microsoft was able to confirm during further investigation that the compromised user account was\r\nflagged for risky sign-ins when the account was used to sign in from an unfamiliar location and from an\r\nuncommon user agent.\r\nFor persistence following business email compromise\r\nIn some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user\r\naccount to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 3 of 20\n\nApplication (OWA) that contain specific keywords such as “payment” and “invoice”. This action typically\r\nprecedes financial fraud attacks where the threat actor seeks out financial conversations and attempts to socially\r\nengineer one party to modify payment information to an account under attacker control.\r\nFigure 3. Attack chain for OAuth application misuse following BEC\r\nLater, to maintain persistence and carry out malicious actions, the threat actor created an OAuth application using\r\nthe compromised user account. The actor then operated under the compromised user account session to add new\r\ncredentials to the OAuth application.  \r\nFor email phishing activity\r\nIn other cases, instead of performing BEC reconnaissance, the threat actor created multitenant OAuth applications\r\nfollowing the stolen session cookie replay activity. The threat actor used the OAuth applications to maintain\r\npersistence, add new credentials, and then access Microsoft Graph API resource to read emails or send phishing\r\nemails.\r\nFigure 4. Attack chain for OAuth application misuse for phishing\r\nAt the time of analysis, we observed that threat actor created around 17,000 multitenant OAuth applications across\r\ndifferent tenants using multiple compromised user accounts. The created applications mostly had two different\r\nsets of application metadata properties, such as display name and scope:\r\nMalicious multitenant OAuth applications with the display name set as “oauth” were granted permissions\r\n“user.read; mail.readwrite; email; profile; openid; mail.read; people.read” and access to Microsoft Graph\r\nAPI and read emails.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 4 of 20\n\nMalicious multitenant OAuth applications with the display name set as “App” were granted permissions\r\n“user.read; mail.readwrite; email; profile; openid; mail.send” and access to Microsoft Graph API to send\r\nhigh volumes of phishing emails to both intra-organizational and external organizations.\r\nFigure 5. Sample phishing email sent by the malicious OAuth application\r\nIn addition, we observed that the threat actor, before using the OAuth applications to send phishing emails,\r\nleveraged the compromised user accounts to create inbox rules with suspicious rule names like “…” to move\r\nemails to the junk folder and mark them as read. This is to evade detection by the compromised user that the\r\naccount was used to send phishing emails.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 5 of 20\n\nFigure 6. Inbox rule created by the threat actor using the compromised user account\r\nBased on the email telemetry, we observed that the malicious OAuth applications created by the threat actor sent\r\nmore than 927,000 phishing emails. Microsoft has taken down all the malicious OAuth applications found related\r\nto this campaign, which ran from July to November 2023.\r\nOAuth applications for spamming activity\r\nMicrosoft also observed large-scale spamming activity through OAuth applications by a threat actor tracked as\r\nStorm-1286. The actor launched password spraying attacks to compromise user accounts, the majority of which\r\ndid not have multifactor authentication (MFA) enabled. We also observed the user agent BAV2ROPC in the sign-in\r\nactivities related to the compromised accounts, which indicated the use of legacy authentication protocols such as\r\nIMAP and SMTP that do not support MFA.\r\nWe observed the actor using the compromised user accounts to create anywhere from one to three new OAuth\r\napplications in the targeted organization using Azure PowerShell or a Swagger Codegen-based client. The threat\r\nactor then granted consent to the applications using the compromised accounts. These applications were set with\r\npermissions like email, profile, openid, Mail.Send, User.Read and Mail.Read, which allowed the actor to control\r\nthe mailbox and send thousands of emails a day using the compromised user account and the organization domain.\r\nIn some cases, the actor waited for months after the initial access and setting up of OAuth applications before\r\nstarting the spam activity using the applications. The actor also used legitimate domains to avoid phishing and\r\nspamming detectors.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 6 of 20\n\nFigure 7. Attack chain for large-scale spam using OAuth applications\r\nIn previous large-scale spam activities, we observed threat actors attempting to compromise admin accounts\r\nwithout MFA and create new LOB applications with high administrative permissions to abuse Microsoft Exchange\r\nOnline and spread spam. While the activity of the actor then was limited due to actions taken by Microsoft Threat\r\nIntelligence such as blocking clusters of the OAuth applications in the past, Storm-1286 continues to try new ways\r\nto set a similar high-scale spamming platform in victim organizations by using non-privileged users.\r\nMitigation steps\r\nMicrosoft recommends the following mitigations to reduce the impact of these types of threats.\r\nMitigate credential guessing attacks risks\r\nA key step in reducing the attack surface is securing the identity infrastructure. The most common initial access\r\nvector observed in this attack was account compromise through credential stuffing, phishing, and reverse proxy\r\n(AiTM) phishing. In most cases the compromised accounts did not have MFA enabled. Implementing security\r\npractices that strengthen account credentials such as enabling MFA reduced the chance of attack dramatically.\r\nEnable conditional access policies\r\nConditional access policies are evaluated and enforced every time the user attempts to sign in. Organizations can\r\nprotect themselves from attacks that leverage stolen credentials by enabling policies for User and Sign-in Risk,\r\ndevice compliance and trusted IP address requirements. If your organization has a Microsoft-Managed\r\nConditional Access policy, make sure it is enforced.\r\nEnsure continuous access evaluation is enabled\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 7 of 20\n\nContinuous access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks,\r\nsuch as when a user is terminated or moves to an untrusted location.\r\nEnable security defaults\r\nWhile some of the features mentioned above require paid subscriptions, the security defaults in Azure AD, which\r\nis mainly for organizations using the free tier of Azure Active Directory licensing, are sufficient to better protect\r\nthe organizational identity platform, as they provide preconfigured security settings such as MFA, protection for\r\nprivileged activities, and others.\r\nEnable Microsoft Defender automatic attack disruption\r\nMicrosoft Defender automatic attack disruption capabilities minimize lateral movement and curbs the overall\r\nimpact of an attack in its initial stages.\r\nAudit apps and consented permissions\r\nAudit apps and consented permissions in your organization ensure applications are only accessing necessary data\r\nand adhering to the principles of least privilege. Use Microsoft Defender for Cloud Apps and its app governance\r\nadd-on for expanded visibility into cloud activity in your organization and control over applications that access\r\nyour Microsoft 365 data. \r\nEducate your organization on application permissions and data accessible by applications with respective\r\npermissions to identify malicious apps. \r\nEnhance suspicious OAuth application investigation with the recommended approach to investigate and remediate\r\nrisky OAuth apps.\r\nEnable “Review admin consent requests” for forcing new applications review in the tenant.\r\nIn addition to the recommendations above, Microsoft has published incident response playbooks for App consent\r\ngrant investigation and compromised and malicious applications investigation that defenders can use to respond\r\nquickly to related threats.\r\nSecure Azure Cloud resources\r\nDeploy MFA to all users, especially for tenant administrators and accounts with Azure VM Contributor privileges.\r\nLimit unused quota and monitor for unusual quota increases in your Azure subscriptions, with an emphasis on the\r\nresource’s originating creation or modification. Monitor for unexpected sign-in activity from IP addresses\r\nassociated with free VPN services on high privilege accounts. Connect Microsoft Defender for Cloud Apps\r\nconnector to ARM or use Microsoft Defender for ARM\r\nWith the rise of hybrid work, employees might use their personal or unmanaged devices to access corporate\r\nresources, leading to an increased possibility of token theft. To mitigate this risk, organizations can enhance their\r\nsecurity measures by obtaining complete visibility into their users’ authentication methods and locations. Refer to\r\nthe comprehensive blog post Token tactics: How to prevent, detect, and respond to cloud token theft. \r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 8 of 20\n\nCheck your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with\r\nmalware. Use for enhanced phishing protection and coverage against new threats and polymorphic variants.\r\nConfigure Defender for Office 365 to recheck links upon time of click and delete sent mail in response to newly\r\nacquired threat intelligence. Turn on Safe Attachments policies to check attachments in inbound emails. \r\nDetections for related techniques\r\nLeveraging its cross-signal capabilities, Microsoft Defender XDR alerts customers using Microsoft Defender for\r\nOffice 365, Microsoft Defender for Cloud Apps, Application governance add-on, Microsoft Defender for Cloud,\r\nand Microsoft Entra ID Protection to detect the techniques covered in the attack through the attack chain. Each\r\nproduct can provide a different aspect for protection to cover the techniques observed in this attack:\r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR detects threat components associated with the following activities:\r\nUser compromised in AiTM phishing attack\r\nUser compromised via a known AiTM phishing kit\r\nBEC financial fraud-related reconnaissance\r\nBEC financial fraud\r\nMicrosoft Defender for Cloud Apps\r\nUsing Microsoft Defender for Cloud Apps connectors for Microsoft 365 and Azure, Microsoft Defender XDR\r\nraises the following alerts:\r\nStolen session cookie was used\r\nActivity from anonymous IP address\r\nActivity from a password-spray associated IP address\r\nUser added or updated a suspicious OAuth app\r\nRisky user created or updated an app that was observed creating a bulk of Azure virtual machines in a short\r\ninterval\r\nRisky user updated an app that accessed email and performed email activity through Graph API\r\nSuspicious creation of OAuth app by compromised user\r\nSuspicious secret addition to OAuth app followed by creation of Azure virtual machines\r\nSuspicious OAuth app creation\r\nSuspicious OAuth app email activity through Graph API\r\nSuspicious OAuth app-related activity by compromised user\r\nSuspicious user signed into a newly created OAuth app\r\nSuspicious addition of OAuth app permissions\r\nSuspicious inbox manipulation rule\r\nImpossible travel activity\r\nMultiple failed login attempts\r\nApp governance\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 9 of 20\n\nApp governance is an add-on to Microsoft Defender for Cloud Apps, which can detect malicious OAuth\r\napplications that make sensitive Exchange Online administrative activities along with other threat detection alerts.\r\nActivity related to this campaign triggers the following alerts:\r\nEntra Line-of-Business app initiating an anomalous spike in virtual machine creation\r\nOAuth app with high scope privileges in Microsoft Graph was observed initiating virtual machine creation\r\nSuspicious OAuth app used to send numerous emails\r\nTo receive this alert, turn on app governance for Microsoft Defender for Cloud Apps.\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 detects threat activity associated with this spamming campaign through the\r\nfollowing email security alerts. Note, however, that these alerts may also be triggered by unrelated threat activity.\r\nWe’re listing them here because we recommend that these alerts be investigated and remediated immediately.\r\nA potentially malicious URL click was detected\r\nA user clicked through to a potentially malicious URL\r\nSuspicious email sending patterns detected\r\nUser restricted from sending email\r\nEmail sending limit exceeded\r\nMicrosoft Defender for Cloud\r\nMicrosoft Defender for Cloud detects threat components associated with the activities outlined in this article with\r\nthe following alerts:\r\nAzure Resource Manager operation from suspicious proxy IP address\r\nCrypto-mining activity\r\nDigital currency mining activity\r\nSuspicious Azure role assignment detected\r\nSuspicious creation of compute resources detected\r\nSuspicious invocation of a high-risk ‘Execution’ operation by a service principal detected\r\nSuspicious invocation of a high-risk ‘Execution’ operation detected\r\nSuspicious invocation of a high-risk ‘Impact’ operation by a service principal detected\r\nMicrosoft Entra Identity Protection\r\nMicrosoft Entra Identity Protection detects the threats described with the following alerts:\r\nAnomalous Token\r\nUnfamiliar sign-in properties\r\nAnonymous IP address\r\nVerified threat actor IP\r\nAtypical travel\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 10 of 20\n\nHunting guidance\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\r\nOAuth application interacting with Azure workloads\r\nlet OAuthAppId = \u003coauth app=\"\" id=\"\" in=\"\" question=\"\"\u003e;\r\nCloudAppEvents\r\n| where Timestamp \u003eago (7d)\r\n| where AccountId == OAuthAppId\r\n| where AccountType== \"Application\"\r\n| extend Azure_Workloads = RawEventData[\"operationName\"]\r\n| distinct Azure_Workloads by AccountId\r\n\u003c/oauth\u003e\r\nPassword spray attempts\r\nThis query identifies failed sign-in attempts to Microsoft Exchange Online from multiple IP addresses and\r\nlocations.\r\nIdentityLogonEvents\r\n| where Timestamp \u003e ago(3d)\r\n| where ActionType == \"LogonFailed\" and LogonType == \"OAuth2:Token\" and Application == \"Microsoft\r\nExchange Online\"\r\n| summarize count(), dcount(IPAddress), dcount(CountryCode) by AccountObjectId, AccountDisplayName,\r\nbin(Timestamp, 1h)\r\nSuspicious application creation\r\nThis query finds new applications added in your tenant.\r\nCloudAppEvents\r\n| where ActionType in (\"Add application.\", \"Add service principal.\")\r\n| mvexpand modifiedProperties = RawEventData.ModifiedProperties\r\n| where modifiedProperties.Name == \"AppAddress\"\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 11 of 20\n\n| extend AppAddress = tolower(extract('\\\"Address\\\": \\\"\r\n(.*)\\\",',1,tostring(modifiedProperties.NewValue)))\r\n| mvexpand ExtendedProperties = RawEventData.ExtendedProperties\r\n| where ExtendedProperties.Name == \"additionalDetails\"\r\n| extend OAuthApplicationId = tolower(extract('\\\"AppId\\\":\\\"\r\n(.*)\\\"',1,tostring(ExtendedProperties.Value)))\r\n| project Timestamp, ReportId, AccountObjectId, Application, ApplicationId, OAuthApplicationId,\r\nAppAddress\r\nSuspicious email events\r\nNOTE: These queries need to be updated with timestamps related to application creation time before running.\r\n//Identify High Outbound Email Sender\r\nEmailEvents\r\n| where Timestamp between (\u003cstart\u003e .. \u003cend\u003e) //Timestamp from the app creation time to few hours upto\r\n24 hours or more\r\n| where EmailDirection in (\"Outbound\")\r\n| project\r\nRecipientEmailAddress,\r\nSenderFromAddress,\r\nSenderMailFromAddress,\r\nSenderObjectId,\r\nNetworkMessageId\r\n| summarize\r\nRecipientCount = dcount(RecipientEmailAddress),\r\nUniqueEmailSentCount = dcount(NetworkMessageId)\r\nby SenderFromAddress, SenderMailFromAddress, SenderObjectId\r\n| sort by UniqueEmailSentCount desc\r\n//| where UniqueEmailSentCount \u003e \u003cthreshold\u003e //Optional, return only if the sender sent more than the\r\nthreshold\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 12 of 20\n\n//| take 100 //Optional, return only top 100\r\n//Identify Suspicious Outbound Email Sender\r\nEmailEvents\r\n//| where Timestamp between (\u003cstart\u003e .. \u003cend\u003e) //Timestamp from the app creation time to few hours\r\nupto 24 hours or more\r\n| where EmailDirection in (\"Outbound\")\r\n| project\r\nRecipientEmailAddress,\r\nSenderFromAddress,\r\nSenderMailFromAddress,\r\nSenderObjectId,\r\nDetectionMethods,\r\nNetworkMessageId\r\n| summarize\r\nRecipientCount = dcount(RecipientEmailAddress),\r\nUniqueEmailSentCount = dcount(NetworkMessageId),\r\nSuspiciousEmailCount = dcountif(NetworkMessageId,isnotempty(DetectionMethods))\r\nby SenderFromAddress, SenderMailFromAddress, SenderObjectId\r\n| extend SuspiciousEmailPercentage = SuspiciousEmailCount/UniqueEmailSentCount * 100 //Calculate the\r\npercentage of suspicious email compared to all email sent\r\n| sort by SuspiciousEmailPercentage desc\r\n//| where UniqueEmailSentCount \u003e \u003cthreshold\u003e //Optional, return only if the sender suspicious email\r\npercentage is more than the threshold\r\n//| take 100 //Optional, return only top 100\r\n//Identify Recent Emails Sent by Restricted Email Sender\r\nAlertEvidence\r\n| where Title has \"User restricted from sending email\"\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 13 of 20\n\n| project AccountObjectId //Identify the user who are restricted to send email\r\n| join EmailEvents on $left.AccountObjectId == $right.SenderObjectId //Join information from Alert\r\nEvidence and Email Events\r\n| project\r\nTimestamp,\r\nRecipientEmailAddress,\r\nSenderFromAddress,\r\nSenderMailFromAddress,\r\nSenderObjectId,\r\nSenderIPv4,\r\nSubject,\r\nUrlCount,\r\nAttachmentCount,\r\nDetectionMethods,\r\nAuthenticationDetails,\r\nNetworkMessageId\r\n| sort by Timestamp desc\r\n//| take 100 //Optional, return only first 100\r\n\u003c/threshold\u003e\u003c/end\u003e\u003c/start\u003e\u003c/threshold\u003e\u003c/end\u003e\u003c/start\u003e\r\nBEC recon and OAuth application activity\r\n//High and Medium risk SignIn activity\r\nAADSignInEventsBeta\r\n| where Timestamp \u003eago (7d)\r\n| where ErrorCode==0\r\n| where RiskLevelDuringSignIn \u003e= 50\r\n| project\r\nAccountUpn,\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 14 of 20\n\nAccountObjectId,\r\nSessionId,\r\nRiskLevelDuringSignIn,\r\nApplicationId,\r\nApplication\r\n//Oauth Application creation or modification by user who has suspicious sign in activities\r\nAADSignInEventsBeta\r\n| where Timestamp \u003eago (7d)\r\n| where ErrorCode == 0\r\n| where RiskLevelDuringSignIn \u003e= 50\r\n| project SignInTime=AccountUpn, AccountObjectId, SessionId, RiskLevelDuringSignIn, ApplicationId,\r\nApplication\r\n| join kind=leftouter (CloudAppEvents | where Timestamp \u003e ago(7d)\r\n| where ActionType in (\"Add application.\", \"Update application.\", \"Update application – Certificates\r\nand secrets management \")\r\n| extend appId = tostring(parse_json(RawEventData.Target[4].ID))\r\n| project\r\nTimestamp,\r\nActionType,\r\nApplication,\r\nApplicationId,\r\nUserAgent,\r\nISP,\r\nAccountObjectId,\r\nAppName=ObjectName,\r\nOauthApplicationId=appId,\r\nRawEventData ) on AccountObjectId\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 15 of 20\n\n| where isnotempty(ActionType)\r\n//Suspicious BEC reconnaisance activity\r\nlet bec_keywords = pack_array(\"payment\", \"receipt\", \"invoice\", \"inventory\");\r\nlet reconEvents =\r\nCloudAppEvents\r\n| where Timestamp \u003eago (7d)\r\n| where ActionType in (\"MailItemsAccessed\", \"Update\")\r\n| where AccountObjectId in (\"\u003cimpacted accountobjectid=\"\"\u003e\")\r\n| extend SessionId = tostring(parse_json(RawEventData.SessionId))\r\n| project\r\nTimestamp,\r\nActionType,\r\nAccountObjectId,\r\nUserAgent,\r\nISP,\r\nIPAddress,\r\nSessionId,\r\nRawEventData;\r\nreconEvents;\r\nlet updateActions = reconEvents\r\n| where ActionType == \"Update\"\r\n| extend Subject=tostring(RawEventData[\"Item\"].Subject)\r\n| where isnotempty(Subject)\r\n| where Subject has_any (bec_keywords)\r\n| summarize UpdateCount=count() by bin (Timestamp, 15m), Subject, AccountObjectId, SessionId,\r\nIPAddress;\r\nupdateActions;\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 16 of 20\n\nlet mailItemsAccessedActions = reconEvents\r\n| where ActionType == \"MailItemsAccessed\"\r\n| extend OperationCount = toint(RawEventData[\"OperationCount\"])\r\n| summarize TotalCount = sum(OperationCount) by bin (Timestamp, 15m), AccountObjectId,\r\nSessionId, IPAddress;\r\nmailItemsAccessedActions;\r\n//SignIn to newly created app within Risky Session\r\nAADSignInEventsBeta\r\n| where Timestamp \u003eago (7d)\r\n| where AccountObjectId in (\"\u003cimpacted accountobjectid=\"\"\u003e\") and\r\nSessionId in (\"\u003crisky session=\"\" id=\"\"\u003e\")\r\n| where ApplicationId in (\"\u003coauth appid=\"\"\u003e\") // Recently added or modified App Id\r\n| project\r\nAccountUpn,\r\nAccountObjectId,\r\nApplicationId,\r\nApplication,\r\nSessionId,\r\nRiskLevelDuringSignIn,\r\nRiskLevelAggregated,\r\nCountry\r\n// To check suspicious Mailbox rules\r\nCloudAppEvents\r\n| where Timestamp between (start .. end) //Timestamp from the app creation time to few hours, usually\r\nbefore spam emails sent\r\n| where AccountObjectId in (\"\u003cimpacted accountobjectid=\"\"\u003e\")\r\n| where Application == \"Microsoft Exchange Online\"\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 17 of 20\n\n| where ActionType in (\"New-InboxRule\", \"Set-InboxRule\", \"Set-Mailbox\", \"Set-TransportRule\", \"New-TransportRule\", \"Enable-InboxRule\", \"UpdateInboxRules\")\r\n| where isnotempty(IPAddress)\r\n| mvexpand ActivityObjects\r\n| extend name = parse_json(ActivityObjects).Name\r\n| extend value = parse_json(ActivityObjects).Value\r\n| where name == \"Name\"\r\n| extend RuleName = value\r\n| project Timestamp, ReportId, ActionType, AccountObjectId, IPAddress, ISP, RuleName\r\n// To check any suspicious Url clicks from emails before risky signin by the user\r\nUrlClickEvents\r\n| where Timestamp between (start .. end) //Timestamp around time proximity of Risky signin by user\r\n| where AccountUpn has \"\u003cimpacted user’s=\"\" upn=\"\" or=\"\" email=\"\" address=\"\"\u003e\" and ActionType has\r\n\"ClickAllowed\"\r\n| project Timestamp,Url,NetworkMessageId\r\n// To fetch the suspicious email details\r\nEmailEvents\r\n| where Timestamp between (start .. end) //Timestamp lookback to be increased gradually to find the\r\nemail received\r\n| where EmailDirection has \"Inbound\"\r\n| where RecipientEmailAddress has \"\u003cimpacted user’s=\"\" upn=\"\" or=\"\" email=\"\" address=\"\"\u003e\" and\r\nNetworkMessageId == \"\u003cnetworkmessageid from=\"\" urlclickevents=\"\"\u003e\"\r\n| project SenderFromAddress,SenderMailFromAddress,SenderIPv4,SenderFromDomain,\r\nSubject,UrlCount,AttachmentCount\r\n// To check if suspicious emails sent for spamming (with similar email subjects, urls etc.)\r\nEmailEvents\r\n| where Timestamp between (start .. end) //Timestamp from the app creation time to few hours upto 24\r\nhours or more\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 18 of 20\n\n| where EmailDirection in (\"Outbound\",\"Intra-org\")\r\n| where SenderFromAddress has \"\u003cimpacted user’s=\"\" upn=\"\" or=\"\" email=\"\" address=\"\"\u003e\"or\r\nSenderMailFromAddress has \"\u003cimpacted user’s=\"\" upn=\"\" or=\"\" email=\"\" address=\"\"\u003e\"\r\n| project RecipientEmailAddress,RecipientObjectId,SenderIPv4,SenderFromDomain,\r\nSubject,UrlCount,AttachmentCount,NetworkMessageId\r\n\u003c/impacted\u003e\u003c/impacted\u003e\u003c/networkmessageid\u003e\u003c/impacted\u003e\u003c/impacted\u003e\u003c/impacted\u003e\u003c/oauth\u003e\u003c/risky\u003e\u003c/impacted\u003e\r\n\u003c/impacted\u003e\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nAnalytic rules:\r\nPhishing Link Execution Observed\r\nPossible AiTM Phishing Attempt Against AAD\r\nSuccessful Signins from a Phishing Link\r\nSignin Password Spray\r\nMalicious Inbox Rule\r\nBEC Mailbox Rule\r\nHunting queries:\r\nOpen Email Link\r\nCreation of an anomalous number of resources\r\nCreation of expensive computes in Azure\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn\r\nat https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 19 of 20\n\nSource: https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-att\r\nacks/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/"
	],
	"report_names": [
		"threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks"
	],
	"threat_actors": [
		{
			"id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3",
			"created_at": "2022-10-25T16:07:23.80111Z",
			"updated_at": "2026-04-10T02:00:04.753677Z",
			"deleted_at": null,
			"main_name": "LookBack",
			"aliases": [
				"FlowingFrog",
				"LookBack",
				"LookingFrog",
				"TA410",
				"Witchetty"
			],
			"source_name": "ETDA:LookBack",
			"tools": [
				"FlowCloud",
				"GUP Proxy Tool",
				"SodomMain",
				"SodomMain RAT",
				"SodomNormal"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "406a841e-de4d-4f25-a970-c75c265194b9",
			"created_at": "2024-02-02T02:00:04.073194Z",
			"updated_at": "2026-04-10T02:00:03.550635Z",
			"deleted_at": null,
			"main_name": "Storm-1286",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-1286",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5974be21-9fbe-4ce8-aea2-f08f4fa65427",
			"created_at": "2023-12-21T02:00:06.088086Z",
			"updated_at": "2026-04-10T02:00:03.500272Z",
			"deleted_at": null,
			"main_name": "Storm-1283",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-1283",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434755,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa8ad1c038dac521a1b267ae007329e21bdf9a76.pdf",
		"text": "https://archive.orkl.eu/fa8ad1c038dac521a1b267ae007329e21bdf9a76.txt",
		"img": "https://archive.orkl.eu/fa8ad1c038dac521a1b267ae007329e21bdf9a76.jpg"
	}
}