Full Report
How Wiz Research automates detection of emerging malicious Azure app and consent phishing campaigns.
Analysis Summary
# Tool/Technique: Malicious OAuth Consent Phishing
## Overview
This technique involves attackers creating fraudulent Microsoft Entra ID (formerly Azure AD) applications designed to mimic legitimate software or corporate services. By tricking users into granting "Consent" to these apps via phishing links, attackers bypass the need for user passwords and establish persistent access to the victim’s Microsoft 365 environment through OAuth tokens.
## Technical Details
- **Type**: Technique / Malicious Application
- **Platform**: Microsoft Entra ID (Azure), Microsoft 365
- **Capabilities**: Credential-less persistence, data exfiltration (emails, files, profile data), and privilege escalation.
- **First Seen**: Ongoing; documented extensively by Wiz Research in February 2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link
- **TA0003 - Persistence**
- T1136.003 - Create Account: Cloud Account (Service Principal)
- **TA0004 - Privilege Escalation**
- T1098.003 - Account Manipulation: Add RKF for Device Code / OAuth
- **TA0005 - Defense Evasion**
- T1036.007 - Masquerading: Double Extension / Homoglyph (App naming)
- **TA0006 - Credential Access**
- T1528 - Steal Application Access Token
## Functionality
### Core Capabilities
- **Homoglyph Attacks**: Using visually similar characters to spoof legitimate apps (e.g., "0ffice" instead of "Office" or "0-Adobe").
- **Service Principal Creation**: Automatically generates a local instance of the attacker’s global application in the victim's tenant upon consent.
- **Token-Based Access**: Uses OAuth 2.0 refresh tokens to maintain access even if the user changes their password.
### Advanced Features
- **App Masquerading**: Configuring familiar logos, legitimate-looking homepage URLs, and publisher names to bypass "consent fatigue."
- **Automated Phishing Pipelines**: Integration with email campaigns directing users to authentic Microsoft login pages to minimize suspicion.
## Indicators of Compromise
- **File Names**: N/A (Cloud-native attack)
- **App Names / Homoglyphs**:
- `0ffice`
- `0-Adobe`
- Any app name starting with a zero or non-standard character to mimic a brand.
- **Network Indicators**:
- `htps[:]//login[.]microsoftonline[.]com/common/oauth2/v2.0/authorize` (Used in initial phishing redirect)
- `htps[:]//[attacker-controlled-domain][.]azurewebsites[.]net`
- **Behavioral Indicators**:
- New Service Principal created by a non-admin user.
- Unexpected applications requesting high-privilege scopes like `Mail.Read`, `Notes.Read.All`, or `Files.ReadWrite`.
## Associated Threat Actors
- Various unidentified cybercriminal groups targeting enterprise data.
- Historically associated with "Storm" tracked groups and APTs looking for cloud persistence.
## Detection Methods
- **OAuth Apps Scout (via Wiz)**: An LLM-powered detection pipeline that analyzes app metadata (names, logos, and scopes) to surface anomalies.
- **Behavioral detection**: Monitoring Entra ID Audit Logs for `Add service principal` and `Consent to application` events, especially those originating from external tenants.
- **Scope Analysis**: Flagging apps that request "Admin Consent" levels without a clear business use case.
## Mitigation Strategies
- **Tenant Hardening**: Disable the ability for non-admin users to consent to apps (limit to verified publishers only).
- **Step-up Authentication**: Require MFA for any new application consent.
- **User Education**: Training employees to recognize homoglyph attacks and inspect the "Verified Publisher" badge on Microsoft consent prompts.
- **Application Review**: Periodically audit "Enterprise Applications" in the Entra ID portal and remove unused or suspicious third-party integrations.
## Related Tools/Techniques
- **Illicit Consent Grant**: The broader category for this attack.
- **App Governance**: Microsoft tool for managing OAuth apps.
- **EvilGinx/Modlishka**: Tools often used in tandem for session hijacking and proxying OAuth flows.