OAuth-based application attacks are becoming more common, according to Red Canary's Threat Research team This article explores risk oauth attacks. . One particularly risky situation is developing within Entra ID.
In this instance, hackers have gained unauthorized access to user email accounts by taking advantage of OAuth permissions in the legitimate ChatGPT application. This hack emphasizes how crucial it is to handle OAuth consent appropriately and the dangers of granting third-party apps undue access to user data. When an employee adds the ChatGPT service principal to their Entra ID tenant and agrees to OAuth permissions that grant access to their email (Mail.Read) and other user data (offline_access, profile, and openid), the attack scenario starts. This action is carried out through a genuine OpenAI application that presents itself as a reliable service but was, in this instance, misused by the attacker.
By giving the application permission, the user unintentionally gives the attacker access to private email information. The Mail permission request is the main source of risk. Examine a scope that hackers commonly use to steal email data.
The attack gained unauthorized access to the victim's email account by taking advantage of this valid request. The investigation led to a review of the logs and event correlation, with special focus on the OAuth permissions granted and the service principal added (ChatGPT). How the Attack Takes Place First Consent: The target user is tricked by the attacker into giving the ChatGPT application permissions, including Mail. Read and access offline.
By presenting the app as an authentic third-party tool, this is accomplished. The attacker can access the user's email account after consent is granted.
Monitoring Consent Events: Important insights can be gained from key log data, including AuditLogs and Consent to application events. These logs display the time the user gave ChatGPT permission as well as the particular OAuth permissions—including Mail—that they agreed to. Go through it.
The IP address is also logged by the event, proving that the attacker had remote access to the system. Application Behavior Monitoring: Red Canary's telemetry analysis keeps tabs on the exchanges between the victim's system and servers under the control of the attacker. This aids in activity correlation and the identification of questionable application behavior, like unauthorized access requests and connection attempts. Data Exfiltration: The attacker can access private email information and possibly exfiltrate it for malevolent intent once ChatGPT has been given the required authorizations.
After that, the data is uploaded to an infrastructure under the control of the attacker so that it can be exploited further. Identification and Reduction According to Redcanary, keeping an eye out for questionable application permissions and third-party service principals is crucial to thwarting this kind of OAuth attack. Important Indicators Value Risk App ID e0476654-c1d5-430b-ab80-70cbd947616a is a legitimate OpenAI account that was misused for permissions mail.Examine the offline_access profile openid Access to emails without expiration Principal, non-admin consent type (IsAdminConsent: False) Potential proxy, user-specific, phishing-prone IP Origin 3.89.177.26 AWS Virginia Organizations are increasingly at risk from OAuth attacks using programs like ChatGPT, especially when employees are singled out and forced to grant unauthorized permissions.
Organizations can minimize the harm caused by unauthorized data access and strengthen their defenses against such attacks by implementing stringent consent policies and improving monitoring.
