December 13, 2023 •Sander Berkouwer
Before Multi-Factor Authentication (MFA) existed, user credentials were cracked, stolen, intercepted, eavesdropped upon or phished. Valid user credentials could also be a part of leaked credentials sets as people re-use passwords everywhere, and we live in a world where our email addresses are the most user-friendly globally unique identifiers we have.
What an attacker does after just one person’s account and mailbox is accessed differs between attackers. Some attackers sell off their access, others wreak havoc, siphon off data or compromise email threads for financial gain. In most situations, attackers look for clever ways to persist in their victim’s infrastructure.
Microsoft helps organizations with recommendations, guidance, and tools like the Secure Score, but one area is still overlooked: application registrations. This method of compromise is fairly effective, which prompted Microsoft this week to warn organizations of this tactic.
What Microsoft detected
In short, Microsoft’s Threat Intelligence division observes attacks where after initial access, the credentials are used to consent to permissions for nefarious applications. These applications then deploy virtual machines for cryptocurrency mining, compromising business email and launching spam campaigns using their victim’s resources and domain names.
These applications are programmed multi-tenant applications. They typically live in the Entra ID tenant of the attacker. When consented to, these applications create a copy of the application registration in the attacker’s tenant and in the victim’s tenant. From there, attackers can perform any action that the application registration is consented to. Permissions like mail.readwrite, mail.send can then be used to communicate as the victim. Permissions like people.read can be used by attackers to potentially gain the privileges of more privileged accounts.
Microsoft also provided an important metric with their warning: when Microsoft detected the attack pattern, the group labeled as Storm-1283 already had their malicious applications deployed to 17,000 Entra tenants…
Microsoft recommended practices
Microsoft provides advice on how to combat this tactic:
- Enable Conditional Access policies to block attacks that leverage stolen credentials.
- Enable Continuous Access Evaluation (CAE) to automatically revoke user access based on risk triggers.
- Enable Entra ID security defaults to ensure multi-factor authentication (MFA) is enabled and privileged activities are protected.
As a 15-time Microsoft Most Valuable Professional (MVP) in Directory Services, Enterprise Mobility, Security and Windows and Devices, I have an additional piece of advice and this can be performed by any identity admin, regardless of their Entra ID tenant’s licenses.
All tenants that are being compromised have one thing in common: they all use default consent settings, that allow users and group owners to consent to any app.
I highly encourage identity admins to implement these changes, but I also feel Microsoft omitted one big change that strikes the attackers where it hurts most.
Change the user consent setting
My advice is to change this setting from its default Allow user consent for apps (older tenants) or Allow user consent for apps from verified publishers for selected permissions (Recommended) to Do now allow user consent. This way, compromised user accounts without privileged roles are unable to consent to any app, including malicious apps.
I agree it is a tough decision to make, but the two settings other than Do not allow user consent allow for user access that in the past has already led to compromise.
Follow these steps to change the user consent setting:
- When the Privileged Identity Management (PIM) feature is enabled and admin privileges can be requested, request these privileges before performing the following steps.
- Sign into the Entra portal.
- In the left navigation pane, click Applications to expand it.
- Click Enterprise applications. This opens the All applications pane with the applications sub navigation pane.
- In the sub navigation pane, click Consent and permissions. This opens the User consent settings pane:
Figure 1: The User consent settings pane
- Under User consent for applications select the Do not allow user consent radio option.
- At the top of the User consent settings pane, click Save.
Change the group owner consent setting
To root out group owner permissions to consent to apps accessing data, the Do now allow group owner consent is the best choice in terms of security.
Follow these steps to change the group owner consent setting:
- When the Privileged Identity Management (PIM) feature is enabled and admin privileges can be requested, request these privileges before performing the following steps.
- Sign into the Entra portal.
- In the left navigation pane, click Applications to expand it.
- Click Enterprise applications. This opens the All applications pane with the applications sub navigation pane.
- In the sub navigation pane, click Consent and permissions. This opens the User consent settings
- Under Group owner consent for apps accessing data select the Do not allow group owner consent radio option.
- At the top of the User consent settings pane, click Save.
Enable the admin consent workflow
Obviously, end-users in your organization could be severely impacted when trying to access legitimate apps but are unable to consent to them. Therefore, the admin consent workflow can be enabled.
Follow these steps to enable the admin consent workflow:
- When the Privileged Identity Management (PIM) feature is enabled and admin privileges can be requested, request these privileges before performing the following steps.
- Sign into the Entra portal.
- In the left navigation pane, click Applications to expand it.
- Click Enterprise applications. This opens the All applications pane with the applications sub navigation pane.
- In the sub navigation pane, click Admin consent settings. This opens the Admin consent settings
- Change the Users can request admin consent to apps they are unable to consent to option from No to Yes.
- Under Who can review admin consent requests, select at least one user, group or privileged role to assign consent privileged and to send notifications of new admin consent requests (default setting):
Figure 2: The Admin consent settings pane
- At the top of the Admin consent settings pane, click Save.
Concluding
Application Governance is an area that is still unfamiliar to many identity admins. Yet, applications and their application registrations hold the keys to the proverbial kingdom.
Together with ENow Software, I have spent the last year developing a free web-based solution: ENow’s App Governance Score identifies your tenant settings in terms of applications and provides guidance on remediating any app-related problems in your Entra tenant.
Does your Entra ID tenant follow Microsoft-recommended security practices? Sign up to get your score and assessment report in just a few minutes - get your AppGov Score now!
Written by Sander Berkouwer
Sander's qualities extend beyond the typical triple-A stories in the area of Identity and Access Management. Of course, authentication, authorization and auditing are necessities but my out of the box solutions get the most out of software, hardware and the cloud. Rapid technological advancements have resulted in cutting-edge solutions around Active Directory, Azure Active Directory and Identity Management. Keeping up with these is just a small challenge, compared to my true goal: helping people use the technology on a daily basis. In a way that ICT is not a mere hurdle, but an infinite enabler. His work as a consultant, blogger and trainer are all means to achieve this goal. His multiple Microsoft Most Valuable Professional (MVP) status, Veeam Vanguard status and extensive certification aids him. Through direct communications with the product teams in Redmond, he remains up to date, exchanges feedback and accelerates support. Sander is also a Virtual Product Owner for AppGov and ENow.