MDO — Illicit OAuth App Consent (Consent Phishing)
MDO AR 05 Illicit O Auth Consent
Query
CloudAppEvents
| where Timestamp > ago(1h)
| where ActionType in ("Consent to application", "Add delegated permission grant")
| extend AppName = tostring(RawEventData.ObjectName)
| project Timestamp, ReportId, AccountObjectId, AccountDisplayName, ActionType, AppName,
IPAddress, IsAdminOperation, UserAgentExplanation
This query is designed to detect potential security threats related to OAuth app consent, specifically focusing on consent phishing or illicit-grant attacks. Here's a simplified breakdown:
-
Purpose: The query identifies when a user grants delegated consent to an OAuth application. This action can be exploited by attackers to gain persistent access to a user's email and files.
-
Severity: The alert generated by this query is marked as "High" due to the potential security risk.
-
Data Source: It uses data from Microsoft Threat Protection, specifically looking at "CloudAppEvents".
-
Frequency: The query runs every hour and checks for events that occurred in the past hour.
-
Detection Logic:
- It filters events where the action type is either "Consent to application" or "Add delegated permission grant".
- It extracts details like the application name, user information, IP address, and whether the action was an admin operation.
-
Alert Details:
- If such an event is detected, an alert is generated with details about the user who granted consent, the application involved, and the IP address from which the action was performed.
- The alert suggests reviewing the app, publisher, and permissions granted, and revoking access if the consent appears to be part of a phishing attack.
-
Incident Management:
- The query is configured to create an incident for each alert.
- Incidents can be grouped by user accounts to manage related alerts together.
-
MITRE ATT&CK Framework: The query is associated with techniques T1528 (Steal Application Access Token) and T1566 (Phishing), indicating its relevance to credential and initial access tactics.
Overall, this query helps security teams monitor and respond to unauthorized OAuth consent activities, which could indicate a phishing attack aimed at gaining unauthorized access to sensitive information.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT1H