M365 Security Incident Response

A user reported unusual activity in their Microsoft 365 account, including emails they didn't send and calendar invites they didn't create. Initial investigation revealed a malicious OAuth application had been granted access to the tenant.

Key Challenges

• The malicious app had broad permissions including Mail.ReadWrite and Calendars.ReadWrite
• Multiple users had unknowingly consented to the application
• The attacker was using the access to send phishing emails from legitimate accounts
• Standard MFA was in place but didn't prevent OAuth consent attacks

Implemented a rapid incident response following NIST guidelines, focusing on containment first, then eradication, and finally recovery with improved controls.

Implementation Steps

1. 1Identified all compromised accounts using Azure AD sign-in and audit logs
2. 2Revoked the malicious OAuth application and all associated tokens
3. 3Reset credentials and revoked sessions for affected users
4. 4Blocked the malicious application at the tenant level
5. 5Implemented Azure AD Conditional Access policies to restrict app consent
6. 6Deployed Microsoft Defender for Cloud Apps for ongoing OAuth monitoring

Technologies Used

Results Achieved

• Contained the incident within 2 hours of detection
• No confirmed data exfiltration occurred
• Implemented app consent workflow requiring admin approval
• Deployed automated alerting for suspicious OAuth grants
• Created incident response runbook for future OAuth-related incidents