What this bundle covers
OAuth illicit consent grants do not look like phishing. The user authenticates to login.microsoftonline.com — the real Microsoft endpoint, valid TLS, every browser indicator green. They see a consent prompt that looks identical to every legitimate SaaS they have ever onboarded. They click Accept. Microsoft issues access and refresh tokens signed by Microsoft, scoped to the user's mailbox or files, valid for up to 90 days. The attacker reads mail and downloads files from their own infrastructure. No password is exposed. No MFA prompt fires. No "suspicious login" alert lights up because nothing about the login was suspicious.
This is the technique Midnight Blizzard used inside Microsoft itself in January 2024. It is the technique behind the "Google Docs" worm that hit a million Gmail accounts in 2017. It is the persistence mechanism criminal spam operators bolt onto compromised M365 tenants because it survives password resets. Three different threat tiers, same primitive.
The bundle has four parts:
- Threat model. What actually happens at each stage, why your AiTM playbook does not catch it, where the detection gap lives. Read this first.
- Detection. Five Microsoft Sentinel analytics rules — consent moment, mass campaign, anomalous SP sign-in, post-consent persistence, Graph API mass read. KQL inline. False-positive analysis included.
- Mitigations. Why Conditional Access is the wrong primary answer here, and which three Entra ID consent-framework controls actually prevent the attack. With deploy order.
- Incident response. The four containment moves you have to make in order. Revoke grants, disable the SP, revoke refresh tokens, tenant-block the AppId. Why password reset alone leaves the attacker in place.
Who this is for
SOC engineers and M365 admins who already have Sentinel ingesting AuditLogs and AADServicePrincipalSignInLogs. The detections are scheduled analytics rules you can import directly. The hardening covers the consent-framework settings that most established tenants have never touched because their tenant predates the safer defaults Microsoft ships in new tenants today. The IR runbook assumes you have the Microsoft Graph PowerShell SDK installed and a Cloud Application Administrator on the IR rotation.
If you are a smaller shop without Sentinel, the audit script (Get-RiskyConsentGrants.ps1) and the consent-framework settings still apply — they cost nothing and close most of the surface.
Why we wrote this
We study how attackers actually operate, and that precision is what makes the defensive content useful. When we say the permission-classification control closes the residual gap after a verified-publisher compromise, it is because we understand what an attacker who just burned their verified-publisher access would try next.
This is the third bundle in the LexLab Security Research series. The Microsoft 365 AiTM Defense bundle covered credential and session-cookie theft. The LinkedIn AiTM Defense bundle covered the same primitive against a different identity provider. This one covers the technique that increasingly chains behind both: AiTM gets the attacker an admin account, OAuth consent gives them persistence that survives the cleanup.
Status
Live. Threat model, detection bundle, mitigation guide, and IR runbook are published. Updates will land here as the research continues — Copilot scope abuse and cross-tenant access patterns are the two threads we are tracking next.