Episode Details

(00:00:00) Mission Briefing: Protecting Against Tenant Breaches
(00:00:41) The Enemy's Tactics: Consent Phishing and Token Theft
(00:04:35) The Attack Chain: From Consent to Token Abuse
(00:06:22) Detecting and Preventing Consent Phishing
(00:14:41) Lateral Movement: From Mailbox to SharePoint
(00:17:23) Exfiltration and Data Theft
(00:20:26) Implementing Effective Defenses
(00:26:01) Closing Remarks and Key Takeaways

Perimeter defense is a lie. In this mission briefing, we walk through a real-world style Microsoft 365 breach where attackers use consent phishing, AiTM token theft, and OAuth abuse to bypass MFA, replay stolen cookies, and live off the land with Microsoft Graph. You’ll see the exact Entra logs, Sentinel analytics, and controls that matter—plus the one policy that breaks the entire attack chain: consent control. If you run M365, Entra ID, or Sentinel, this is mandatory listening.

Opening – The Lie of Perimeter Defense Officers, you’re briefed into a different war. Firewalls guard borders, but modern attacks don’t cross borders—they hijack identity. MFA looks like a shield, but stolen tokens and consented apps glide past it like cloaked ships. In this episode, we map an end-to-end Microsoft 365 breach:

• Starting in the attacker’s cockpit
• Following consent phishing, AiTM token theft, and OAuth abuse
• Ending with concrete detections (KQL, Sentinel) and Entra policies you can deploy today

There is one policy that breaks this chain. Stay sharp. Segment 1 – Threat Intel Brief: What Modern Crews Actually Do We begin with the current threat picture:

• Phishing-as-a-Service & AiTM kits: turnkey infrastructure to steal credentials and session cookies together.
• Malicious multi-tenant OAuth apps: used as roaming “gunships” across tenants, abusing legitimate Microsoft identity flows.
• Goal set:
  • Take the mailbox
  • Siphon SharePoint / OneDrive
  • Persist via app consent, refresh tokens, and mail rules

Why traditional defenses fail:

• MFA stops passwords—not replayable sessions.
• Admin portals don’t highlight OAuth sprawl or service principals by default.
• Telemetry exists, but detection rules and UEBA are often missing or under-tuned.

Telemetry that actually matters:

• Entra ID / Azure AD
  • “Consent to application”
  • “ServicePrincipal created”
  • “AppRoleAssignedTo”
  • Sign-in logs with “Authentication requirements satisfied” (including cookie replay patterns)
• Exchange / MailboxAudit
  • New inbox rules, hidden rules, external forwarding
• SharePoint / Unified Audit Log
  • FileAccessed / FileDownloaded with AppId stamps
• App registrations & service principals
  • New credentials, updated permissions, scope creep

Key doctrine:

• Don’t just guard logins—bind tokens and govern consent.
• Use Token Protection and risk-based Conditional Access to make stolen cookies worthless and cut risky sessions mid-flight.

Segment 2 – Initial Access: Consent Phishing + Token Theft Here’s how the breach starts:

• User hits an AiTM phishing page (invoice, payroll, SharePoint link).
• Reverse proxy relays real Microsoft login → MFA succeeds → session cookie is captured.
• In the same flow, a benign-looking multi-tenant OAuth app asks for consent:
  • Scopes like User.Read, Mail.Read, offline_access
• The user approves.
• Attacker now holds:
  • A stolen cookie (for replay)
  • A sanctioned service principal (for long-term Graph access)

Key telemetry & detections:

• Entra Audit:
  • “Consent to application” → “ServicePrincipal created” → “AppRoleAssignedTo”
• Entra Sign-in logs:
  • “Authentication requirements sa