← Back to Explore
sublimehighRule
Suspicious Office 365 app authorization (OAuth) link
Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.
Detection Query
type.inbound
and any(body.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path, '/common/reprocess')
and strings.icontains(.href_url.query_params, 'ctx=')
and strings.icontains(.href_url.query_params, 'sessionId=')
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Suspicious Office 365 app authorization (OAuth) link"
description: |
Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or
was stood up for malicious purposes. Once the app has been authorized, the attacker will have
read or write permissions to the user's Office 365 account.
references:
- "https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset"
type: "rule"
severity: "high"
source: |
type.inbound
and any(body.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path, '/common/reprocess')
and strings.icontains(.href_url.query_params, 'ctx=')
and strings.icontains(.href_url.query_params, 'sessionId=')
)
)
)
attack_types:
- "Credential Phishing"
detection_methods:
- "URL analysis"
id: "13a8c430-3e62-5c8f-86b5-3722599bead4"