Author: Matt Kiely, Principal Security Researcher at Huntress Labs
Tl;dr: If you manage even one Microsoft 365 tenant, it’s time to audit your OAuth apps. Statistically speaking, there’s a strong chance a malicious app is lurking in your environment.
I wrote an open source script that can help you do this: https://github.com/HuskyHacks/cazadora
Specifically, look in your Enterprise Applications and Application Registrations for:
Apps named after a user account
Apps named “Test” or “Test App” or something similar
Apps named after the tenant domain name where they are installed
Apps using arbitrary strings as the designated names, like apps with non-alphanumeric names (i.e. “........”)
Anomalous reply URLs, specifically including a local loopback URL with port 7823 [“http://localhost:7823/access/”]
Seriously, go audit your apps! The article will be here when you get back.
... continue reading