microsofts entra requesting invasive permissions — Image by Cybernews

A single click could grant third-party apps permanent access to corporate email accounts without a password, putting organizations at risk of attacks.

Security researchers are calling attention to a growing threat vector targeting workplace identity systems, in which attackers exploit OAuth application consent to gain long-term access to sensitive corporate resources.

The latest analysis from threat researchers at Red Canary outlined how an OAuth consent attack against Microsoft’s Entra ID could be used to grant an application access to a user’s email.

Microsoft Entra (formerly Azure Active Directory) is a product family designed for identity and network access management for organizations. The product is used by over 300,000 organizations and has over 610 million monthly active users.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

ChatGPT was granted permission to read emails. That could be a problem

In the illustrative scenario laid out by Red Canary, a non-admin user within Microsoft’s Entra ID tenant connected the legitimate ChatGPT app to their company’s Microsoft account system. While connecting ChatGPT, hypothetical users approved several permissions, such as offline_access, profile, and openid, including Mail.Read, that lets the app read their emails. The action originated from an external IP address.

“This ChatGPT application is indeed the legitimate OpenAI application that was investigated due to its use of one or more OAuth permissions that are frequently abused, in this case, Mail.Read,” researchers wrote in the study.

Strong password generator

Upgrade the security of your online accounts.

Create strong passwords that are completely random and impossible to guess.

Convenient way to secure and use all your passwords. Now 72% OFF!

Get NordPass

Giving an app permission to read email does not automatically mean something bad is happening. Many legitimate apps need that access to work properly. But the specific permission that allows email reading is often misused in phishing scams and account takeovers, which is why it raises security concerns.

“This investigation resulted in a benign classification, but the investigation steps followed a similar sequence to an incident we observed in the wild,” the researchers said.

Open Authorization (OAuth) is widely used across cloud platforms to allow applications to access user data without storing passwords. When a user approves an app through OAuth, the app receives digital tokens that allow it to access the user's accounts without a password.

Convenience, over safety? Well, unfortunately, yes. Unlike passwords, OAuth tokens can remain valid for long periods, even after a user changes their password.

That persistence creates risk. If a malicious or unauthorized app is granted access to an organization's network, it can persist undetected unless its permissions are specifically revoked.

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!

35,607,543,468

Exposed Passwords

Threat actors are increasingly targeting OAuth tokens rather than passwords, and security researchers have been warning about this shift for several years.

In the attacks where threat actors exploit OAuth tokens in the wild, sensitive permissions are being used to read email, send legitimate-looking messages, and even launch internal phishing campaigns that compromise additional accounts.

Gating higher-risk permissions is key

Detecting abused OAuth consent requires monitoring beyond traditional sign-in logs. Red Canary’s researchers outlined that defenders need to track when a non-admin user grants permissions to a third-party application, especially if that application requests sensitive permissions such as Mail.Read.

Tracking when an application is first added and when the user consents to its permissions can also help reveal suspicious activity.

Removing the OAuth permission grant and the associated service principal from the tenant cuts the unauthorized app off from accessing data.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.

18,611,353,922

Breached accounts

36,030

Breached websites

These actions can be performed via automation tools such as Microsoft Graph commands, restoring control to the organization’s security team.

Microsoft supplies ample opportunities to mitigate against this technique. As Microsoft states, “by default, a user can consent to allow an app to access their mailbox but can’t consent to allow an app unfettered access to read and write to all files in your organization.”

There are three options that Microsoft leaves to organizations to tighten their identity controls and reduce the attack surface:

The first one is disabling user consent entirely, so that only administrators can approve applications. However, this option bears an administrative burden
The second option is allowing consent only for verified publishers or pre-approved permissions. Users can still approve low-risk applications, but higher-risk permissions are gated
Let Microsoft manage consent settings and automatically update policies based on evolving guidance

Unlock more exclusive Cybernews content on YouTube.