Abstract

OAuth applications, which enable secure authorization between user and application, are becoming more popular targets for malicious actors. We will begin by explaining the concept of OAuth applications and its key features. After ensuring a common level of understanding, we will then examine the sophisticated attack methods that threat actors use, as observed by Microsoft Security Research, such as consent phishing, cryptomining, BEC, and spamming, by compromising OAuth applications.

By analyzing the attack kill-chain and TTPs, attendees will appreciate the complexities of these attacks, from user deception, application abuse and application-related impact activities. Moreover, the session will provide practical hunting tips, allowing defenders to proactively search for suspicious OAuth application activities using various log sources.

Attendees will also discover effective remediation strategies adapted to address different aspects of an attack, from compromised accounts to new or altered OAuth apps. Mitigation strategies to ensure safe user and OAuth application deployment will be discussed, helping organizations to enhance their defenses against OAuth application-related threats.

In conclusion, the talk emphasizes the need for organizations to understand OAuth application mechanisms and prioritize robust security measures. By applying essential mitigation strategies and detection mechanisms, attendees will be ready to face the growing threat landscape of OAuth application exploitation, protecting their digital assets and maintaining trust in their ecosystems.