Observation Summary
In today’s digital world, businesses rely on various software applications to enhance productivity, collaboration, and efficiency.
However, when employees use unauthorized or unapproved applications – often referred to as Shadow IT – they expose businesses to significant security risks.
ProArch SOC identified multiple instances of users adding enterprise applications to Entra ID (Azure AD) without administrator consent.
These applications requested sensitive permissions such as mail and file access. This activity increases the risk of data exfiltration, privilege escalation, phishing campaigns and compliance violations within the organization’s cloud environment.
What’s Happening
- Users grant OAuth permissions (e.g., Mail.ReadWrite, Files.ReadWrite.All) to third-party apps without administrator review.
- If a user account is compromised, attacker can register an application. Unsanctioned enterprise apps may request permissions such as reading/sending emails, accessing files across SharePoint, OneDrive or other applications via OAuth consent or user granted consent.
- If granted without review, these apps can exfiltrate sensitive data, create persistent access for attackers, or introduce compliance risks — all without appearing in official procurement or IT onboarding processes and all without endpoint malware.
- Common abuse scenarios include
- Sending malicious phishing emails internally and externally, leading to more threat horizon
- Access to sensitive files on SharePoint, Exchange or OneDrive data
- Privilege escalation and Persistence in cloud environment
- In Entra ID, the setting “Let Microsoft manage your consent settings” still allow risky permissions and needs to be changed to “Do not allow user consent”.
- High-risk permissions include
- Mail.Read / Mail.Send / Files.ReadWrite.All / Sites.ReadWrite.All / EWS.AccessAsUser.All
- Microsoft Defender for Cloud Apps (MDCA) Application Governance also provides visibility into all connected enterprise applications and their granted permissions, helping identify unsanctioned or risky OAuth apps added by users, allowing security teams to remove or mark them as unsanctioned to prevent unauthorized access.
Why It Matters
Unauthorized enterprise apps create a Shadow IT layer, if a user account is compromised and attacker registers for application under user’s name, it enables attackers to access sensitive corporate data.
If goes unnoticed, this could result in phishing campaigns ran by attacker, credential theft, data leakage and unauthorized mailbox or SharePoint access. Such breaches can lead to serious financial loss, reputational damage, regulatory exposure and operational disruptions.
ProArch SOC Observations
During the investigation for one of the compromises, the ProArch SOC identified a targeted phishing incident that was initiated from unauthorized application registration. The following sequence of events was observed:
- The user clicked on a phishing link, which resulted in a successful sign-in from a malicious IP address. The security tool did not flag this URL click or login as suspicious.
- The attacker registered an enterprise application (eMClient) — a malicious email-sending tool — without admin consent, exploiting Entra ID’s Enterprise App “Consent & Permission” settings
- Using the compromised account, the attacker launched a large-scale phishing campaign targeting all contacts within the user’s mailbox.
- The account was immediately blocked by the SOC team for containment and investigation.
- The SOC successfully removed all malicious emails and restored access to the legitimate user after completing validation.
- All internal phishing emails were deleted, and external contacts were notified to prevent further propagation.
Recommendations
- Block user consent in Entra ID’s Enterprise Application Consent and Permission setting to “Do not allow user consent” to ensure only admins can approve app permissions.
- Review and approve apps via an admin consent workflow.
- Monitor OAuth activity and high-privileged apps in Microsoft Defender for Cloud Apps.
- Mark unsanctioned apps to restrict their access organization-wide.
- Educate users on risks of unauthorized applications and consent requests given to applications.