Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query will find applications that have been granted Mail.Read or Mail.ReadWrite permissions in which the corresponding user recently consented to. It can help identify applications that have been abused to gain access to user email. The actor, Nobelium, was observed modifying existing tenant application permissions to allow them to read user email through the Microsoft Graph API. See Customer Guidance on Recent Nation-State Cyber Attacks. This query is insprired by an Azure Sentinel detecti
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 2c80af05-53c1-4a77-82e7-a649e8e32506 |
| Tactics | Defense evasion |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
CloudAppEvents |
ActionType in "Add delegated permission grant.,Consent to application." |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊