Secure OAuth permissions and applications

This initiative will help you identify, remove, and protect against malicious OAuth applications. As this technique grows in popularity, you can use this initiative to get ahead of it and maintain confidence in your estate.

The problem

Whilst traditional phishing is still a very real threat, as we all get better at spotting and stopping phishing attacks, attackers continue to evolve their techniques. An increasingly popular technique takes advantage of OAuth applications. 

The premise is simple, if an attacker can convince a user to add a malicious application they can hand over access to just as much sensitive information without handing over their password. An OAuth application can ask for permission to do pretty much anything a user can do but, unless you’re looking for it, can easily fly under the radar. It even passes the checks a careful user might do: legitimate URL, green padlock, verified tick, and no handing over sensitive information like passwords.

An example OAuth app screenshot Office 365

What should you do?

To get an understanding of your current situation, you need to inspect currently installed apps. For example, in Azure AD, you can see all installed apps but you need to click into each one to get a sense of who has installed it and the permissions that have been approved.

If you find apps that are suspicious, you should remove access and investigate how, why, and when they were installed to see if there are lessons to be learned. If you find apps you are unsure of, or apps that you think shouldn’t be allowed, you should contact the user who installed the app to understand if it is something they still require and if you can find a suitable alternative.

How can we help?

This initiative will give you clear reporting on which apps are installed, by who, and what they allow access to. Using simple techniques like least-frequency analysis and simply highlighting dangerous permissions, we will highlight apps that shouldn’t be installed, or warrant further investigation.

You can use our ChatOps integration to contact users that installed apps you’re unsure of to really speed up any investigations you might need to do.

We will guide you through the steps required to configure further protection from attacks like this, such as requiring administrator approval, or restricting a user’s ability to install certain apps altogether.

Finally, you can set up alerts so if any suspicious apps are installed on your estate in the future you can respond quickly.

Supported platforms:
Google Workspace logo
Google Workspace
Microsoft 365 logo
Microsoft 365