ChatGPT in your inbox? Investigating Entra apps that request unexpected permissions

Source: The Red Canary Blog: Information Security Insights

Author: Matt Graeber

URL: https://redcanary.com/blog/threat-detection/entra-id-oauth-attacks/

ONE SENTENCE SUMMARY:

Red Canary models an Entra ID OAuth consent attack using ChatGPT, outlining investigative questions, required AuditLogs, and remediation strategies.

MAIN POINTS:

1. Threat research pivots from observed OAuth attacks to anticipate evolving adversary techniques.
2. Hypothetical Entra ID scenario uses ChatGPT to gain Microsoft Graph email access.
3. A non-admin user consented to Mail.Read, offline_access, profile, and openid permissions.
4. The event includes precise timestamp, tenant, user, app IDs, and source IP.
5. ChatGPT service principal matched the legitimate OpenAI application, not an impersonator.
6. Mail.Read is highlighted as a frequently abused permission prompting investigation.
7. Investigation aims to confirm user intent and possible coercion into granting consent.
8. Authorization questions assess whether email-reading access is appropriate for the app.
9. Tenant governance concerns include whether the application is sanctioned internally.
10. Correlated Log Analytics AuditLogs required: “Consent to application” and “Add service principal.”

TAKEAWAYS:

1. Treat high-impact OAuth permissions like Mail.Read as investigation triggers even for known apps.
2. Validate application authenticity and publisher identity to detect lookalike OAuth abuse.
3. Determine user intent and potential social engineering behind non-admin consent actions.
4. Use CorrelationId to link consent events with service principal creation for complete timelines.
5. Enforce tenant sanctioning and approval workflows to reduce risky third-party OAuth access.