Forum Discussion
User app registration - exploitable for BEC?
Hello. Recently dealt with a case of BEC. I'm not trained in forensics, but doing my best. Appears the hacker used an application called eM Client for their attack, getting access to a user's mailbox and hijacking a thread.
I can see the login from two weeks ago (the incident was only noticed a couple days ago, however) - from a European country that SHOULD have been blocked by Conditional Access. Come to find out, the tenant conditional access was unassigned from everyone. We're not sure how - we re-enabled it, and audited changes, but the only change that appears was us re-enabling it. Which I thought indicates it was never configured right, except we've got a ticket documenting a change to Conditional Access a couple days after the hack that ALSO does not appear in the logs. So... it's likely it was changed, yet I have no record of that change (atleast, not through Entra > Monitoring > Auditing). If anyone knows any other ways of checking this, please advise - but I can't seem to even access our Diagnostic settings, the page tells me I need an Azure Active Directory subscription (I'm on Entra ID P1, which includes AAD.... this might be related to being global admin, and not Security Admin - we don't use that role in this relationship)
ANYWAY, my amateur forensic skills have found that the attacker used an app called eM Client to get access. I'm not sure yet how they obtained the password, and got past MFA... But quick research shows this application (esp it's pro version) is known for use in BEC. The app was registered in Entra, and granted certain read permissions in Entra ID for shared mailboxes, presumably to find a decent thread to hijack. I'm not 100% sure yet there was any actual exploit done using this app, but it's popularity amongst hackers implies it does SOMETHING useful (i think remember that it authenticates using Exchange Web Services instead of Exchange Online, or something similar? Will update when I have the chance to check). We're in the process of improving our Secure Score, and this incident makes me think user's ability to register apps should be locked down. Checked Secure Score for this, and while there ARE recommendations around apps, disabling user app registration is NOT one of them.
Just curious about people's thoughts. I just barely understand App Registration in Entra, but if this is a known attack vector, I would think disabling app registration would be a security recommendation?
Hi underQualifried ,
You've already identified the key elements based on your description. To store your sign-in logs, audit logs, and other data, you'll need to write them to a Log Analytics workspace, which functions similarly to a database. From your error, it seems you don't have an Azure subscription yet. An Azure subscription is required to create and manage Azure resources like virtual machines, Logic Apps, or App Services. These resources need to be associated with a subscription so Microsoft can handle billing.
No worries—setting up a Log Analytics workspace isn't costly, and it's definitely worth it for its robust investigation and monitoring capabilities.
For example, I usually retain the following logs for about six months for thorough analysis and tracking:
- SignInLogs
- AuditLogs
- NonInteractiveUserSignInLogs
- ServicePrincipalSignInLogs
- ManagedIdentitySignInLogs
- EnrichedOffice365AuditLog
- MicrosoftGraphActivityLogs
If you want to see more evidence who changes your CA policies based on these log you could try the queries in this repo: LouisMastelinck/Monitor-security-policy-changes-or-admin-activities
An essential part of your forensics process will involve determining what actions this Enterprise Application performed. Depending on your licenses and whether you're tracking Office activity, you can use the following KQL query in Security.microsoft.com > Advanced Hunting:CloudAppEvents
| where OAuthAppId == "" // Insert the App ID of the EIM client
| where ActionType == "MailItemsAccessed" // Look for the app accessing mail items, this can all other activities
| summarize RequestCount = count() by bin(Timestamp, 1d)
| order by Timestamp
| render timechart
This query will generate a chart showing how many emails the app accessed over time. If the app sent emails, you'll need to change the ActionType.Another useful query to see which emails were accessed is:
CloudAppEvents
| where OAuthAppId == "this should be the app id of your eM Client"
| where ActionType == "MailItemsAccessed"
| extend AffectedMailbox = tostring(RawEventData.UserId)
| project-reorder AffectedMailboxRoot Cause
The root cause of your Business Email Compromise (BEC) seems to be application consent granted by end users, allowing external applications to access their accounts and data. The two blog posts by Matthew Levy are excellent resources for understanding how to prevent this.Hi Louis, thanks so much for the detailed write-up! On further investigation and some collaborative forensics, we've built a pretty solid timeline. Will be checking those posts and implementing a policy going forward. Can you elaborate a bit on the Azure subscription though? We have Entra P1 (and now, P2) - and as I understood it, "Entra" was just the new name for Azure, and the Azure subscription is included within? Based on the docs, I'm wondering if the issue is that I'm global admin - and NOT security admin... Have seen other instances where this caused issues, like in Lighthouse. Can you advise - are you using a global admin, or security admin role? Do you have an Entra subscription, and a separate Azure subscription? MS licensing is... tough.
Hi Hi underQualifried,
I'm glad you were able to conduct your investigation. Let me help clarify some points to help you better understand the difference between an Azure Subscription and Entra ID.
Entra ID (formerly Azure AD):
Simply put, when you create a cloud tenant with Microsoft, you automatically get an Entra ID instance. Entra ID is where you manage how users and applications authenticate to cloud applications. It handles things like MFA, conditional access, app registrations, user and guest accounts, groups, and more.Azure Subscription:
Within your tenant you can have an Azure Subscription. This subscription is needed as it used by Microsoft to bill for you Azure resources you place on that subscription.
For example: If you create a virtual machine, this Azure resource will be placed on a Azure Subscription that exists inside of your tenant. Every month Microsoft will look how much resources you have, if you had them powered on or not, how much data you used,...
You might have an Azure subscription within your tenant, but it's possible that you don't have any privileges or access to it.
Permisisons wise: Entra ID & Azure subscription have each different permissions set. Meaning a security admin in Entra ID has no permissions on a Azure subscription or resource.
Maybe this page helps you more than my own 'simple' explanation: Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings - Microsoft 365 Enterprise | Microsoft LearnWhy did I mention both Entra ID and Azure Subscription together?
The sign-in logs, audit logs, and other logs from Entra ID are only retained for 30 days in Entra ID. While it's possible to perform investigations through the portal, I recommend ingesting these logs into a Log Analytics workspace, which is a resource created within your Azure subscription. This approach allows you to decide how long to keep your logs and enables you to use KQL for analysis. This is beneficial not only for incident response and forensics but also for rolling out Conditional Access policies, creating workbooks, or meeting compliance requirements, especially when you need access to logs older than one month.
Hi underQualifried
Firstly, well done on what you have done so far in your investigations, it's not easy and as an Admin, you have to embark on a massive learning journey to understand what is possible in Entra ID before you can understand the risks and how to mitigate them.With that said, you do most definitely want to restrict what standard users can do with regards to application registrations, and consenting to permissions for enterprise apps that request access. Some admins go so far as to block user consent altogether as well as blocking app registration.
Because this is a common concern for Microsoft 365 tenant admins at the moment due to recent attacks like Midnight Blizzard, I wrote a two-part blog to help admins that are not app developers understand the risks and I made some recommendations. Check it out:
Part 1: Entra ID Application consent - what identity admins need to knowPart 2: Entra ID Application consent - recommendations
Hope this helps
Matt
Thanks so much Matt, very helpful. When things calm down a bit, I will be sure to read (esp as the user above recommended your posts!)
Yes, you should disable App registrations, regular user have no need for this functionality. And you should also restrict consent to third-party apps, the steps on that are here: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal
I'd even argue that you should block consent altogether, but that depends on how much third-party apps are in use in your tenant. Regardless, app registrations should be disabled.
Great, thank you Vasil, I have locked down for now until I can get a bit more of an understanding.
