OAuth Attacks in Entra ID Can Leverage ChatGPT to Compromise User Email Accounts

Through a tactic known as OAuth consent abuse, Microsoft Entra ID is increasingly becoming a target for threat actors who are constantly searching for new ways to misuse trusted platforms. A recently reported attack scenario demonstrates how a third-party program that is malicious or excessively permissive—one that resembles a reliable tool like ChatGPT—can surreptitiously access a corporate user's inbox without ever requiring the user's password. The standard protocol that permits applications to access a user's data with their consent is called OAuth, short for Open Authorization.

When a user links a third-party app to their Microsoft account in Entra ID, a consent prompt outlining the permissions the app is requesting is displayed.

Attackers take advantage of this by creating or posing as Mail, an application that requests sensitive permissions.Read, which, if approved, grants the app complete access to the user's email account. The safest method eliminates the possibility for non-admin users to authorize any applications by requiring an administrator to approve all consent requests. Consent is limited to verified publishers with pre-approved, low-risk permissions in a more equitable setting.

Microsoft's suggested setup offers a practical compromise between security and operational ease by automatically applying its own current user consent policies to the company. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.