O Auth App Using The OD File Picker Permission
Query
// OAuth app using the OD file picker permission
// https://thehackernews.com/2025/05/microsoft-onedrive-file-picker-flaw.html
OAuthAppInfo
| where Timestamp > ago(30d)
| where AppStatus == "Enabled"
| mv-expand Permissions
| where parse_json(Permissions)["TargetAppDisplayName"] == 'Microsoft Graph'
| where parse_json(Permissions)["PermissionValue"] == 'MyFiles.Write' or
parse_json(Permissions)["PermissionValue"] == 'Files.ReadWrite.All' or
parse_json(Permissions)["PermissionValue"] == 'Sites.ReadWrite.All' or
parse_json(Permissions)["PermissionValue"] == 'AllSites.Write'Explanation
This query is designed to identify OAuth applications that have been active in the last 30 days and have specific permissions related to file access in Microsoft services. Here's a simplified breakdown:
-
Data Source: The query is examining data from the
OAuthAppInfotable. -
Time Filter: It only considers records from the past 30 days (
Timestamp > ago(30d)). -
App Status: It filters for applications that are currently "Enabled".
-
Permissions Expansion: The query expands the list of permissions for each application to examine them individually.
-
Target Application: It specifically looks for permissions associated with 'Microsoft Graph'.
-
Specific Permissions: The query checks for applications that have any of the following permissions:
MyFiles.Write: Permission to write to the user's files.Files.ReadWrite.All: Permission to read and write all files the user can access.Sites.ReadWrite.All: Permission to read and write all SharePoint sites the user can access.AllSites.Write: Permission to write to all sites.
The overall goal is to identify potentially risky applications with broad access to files and sites, which could be a security concern.
Details

Steven Lim
Released: May 31, 2025
Tables
Keywords
Operators