SC-031: OAuth Token Abuse — Operation Consent Trap¶

Threat Actor Profile¶

VELVET HOOK is an espionage-motivated threat group tracked since early 2025, specializing in OAuth and cloud identity abuse against professional services firms, law firms, and consulting companies. The group targets organizations that handle sensitive client data — mergers and acquisitions, litigation, government contracts — using the stolen data for economic espionage and insider trading.

VELVET HOOK's signature technique is illicit consent grant attacks: they register malicious Azure AD/Entra ID applications that masquerade as legitimate productivity tools, then distribute consent phishing emails to target employees. When a victim grants consent, the malicious app receives OAuth tokens with delegated permissions to read email, access OneDrive, and enumerate directory information — all without requiring the victim's password or MFA token. The OAuth refresh tokens provide persistent access for up to 90 days (or until revoked), surviving password resets.

Motivation: Economic espionage — theft of M&A documentation, legal strategies, government contract proposals, and client financial data. Estimated intelligence value per operation: $5M–$50M (based on data sensitivity). The group has been linked to operations targeting firms involved in cross-border acquisitions and defense contracting.

Scenario Narrative¶

Phase 1 — Malicious App Registration & Phishing Campaign (~30 min)¶

VELVET HOOK registers a malicious OAuth application in a separate Entra ID tenant they control (velvet-apps.onmicrosoft.com). The application is named "SecureDoc Viewer Pro" with a convincing publisher name, logo, and privacy policy URL. The app requests the following delegated permissions:

• Mail.Read — Read user mailbox
• Files.Read.All — Read all files the user can access
• User.Read — Read user profile
• Contacts.Read — Read user contacts
• offline_access — Maintain access (refresh tokens)

The group crafts a consent phishing campaign targeting 85 Horizon employees. The phishing emails impersonate Horizon's IT department, claiming that a new "secure document viewer" is required to access a shared compliance report. The email contains a link to the Microsoft consent prompt:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<malicious-app-id>&redirect_uri=...&scope=Mail.Read+Files.Read.All+User.Read+Contacts.Read+offline_access

Because the link goes to login.microsoftonline.com (Microsoft's legitimate OAuth endpoint), email security gateways do not flag it as malicious. The consent page shows Microsoft's standard "This app wants to access your data" prompt.

Evidence Artifacts:

Phase 2 — Consent Grants & Token Harvesting (~30 min)¶

Of the 85 employees who received the phishing email, 23 click the link and are presented with Microsoft's OAuth consent prompt. 14 employees grant consent — they see the Microsoft login page (already authenticated via SSO), review the permission list, and click "Accept." The malicious app receives an authorization code, which VELVET HOOK exchanges for access tokens and refresh tokens via the standard OAuth 2.0 token endpoint.

Key victims include:

• m.chen@horizon-consulting.example.com — Senior Partner, M&A Practice (OneDrive contains deal documents)
• s.williams@horizon-consulting.example.com — Defense Sector Lead (mailbox contains classified contract discussions)
• j.patel@horizon-consulting.example.com — Finance Director (access to financial projections and client billing)

The refresh tokens have a default lifetime of 90 days and are not invalidated by password changes — only by explicitly revoking the app's consent or the specific refresh token.

Evidence Artifacts:

Phase 3 — Mailbox & OneDrive Exfiltration (~45 min)¶

Using the harvested OAuth tokens, VELVET HOOK systematically accesses the mailboxes and OneDrive accounts of all 14 compromised users via the Microsoft Graph API. The exfiltration is conducted from cloud infrastructure at 198.51.100.200 and 198.51.100.201, using rate-limited API calls to avoid triggering throttling alerts.

Over 5 days, the group exfiltrates:

• 4,721 emails from 14 mailboxes — focusing on emails containing keywords: "acquisition," "merger," "classified," "ITAR," "proposal," "confidential"
• 892 OneDrive files (3.2 GB) — including M&A due diligence documents, defense contract proposals, client financial models, and board presentation decks
• Contact lists for all 14 users — 2,847 unique contacts including government officials and defense contractor executives

The API calls use legitimate Microsoft Graph endpoints (graph.microsoft.com), making network-level detection impossible — the traffic appears identical to normal M365 application activity.

Evidence Artifacts:

Phase 4 — Persistence & Lateral Expansion (~30 min)¶

VELVET HOOK establishes additional persistence mechanisms beyond the initial OAuth tokens. Using the Contacts.Read permission and email content from compromised accounts, the group identifies high-value targets at Horizon's client organizations. They craft new consent phishing emails sent from m.chen's legitimate mailbox (using the Mail.Send permission — which was not explicitly requested but is implied by some OAuth scopes in certain configurations).

Wait — the app only requested Mail.Read, not Mail.Send. VELVET HOOK pivots: they use information from m.chen's emails to craft highly convincing spear-phishing emails from a lookalike domain (horizon-consultlng.example.com — "l" replaced with "l", visually identical in many fonts). The emails target 3 defense contractor contacts found in the exfiltrated data.

Additionally, the group registers 2 more malicious apps with slightly different names ("DocuSign Integration Helper" and "Teams Meeting Analyzer") and targets the same 14 users with new consent phishing emails — diversifying persistence across multiple app registrations.

Evidence Artifacts:

Phase 5 — Detection & Containment (~30 min)¶

The attack is discovered on Day 8 when Horizon's security analyst reviews the weekly Entra ID sign-in report and notices service principal sign-ins for "SecureDoc Viewer Pro" — an app no one in IT recognizes. The analyst investigates and discovers the consent grants, API access patterns, and data exfiltration.

Evidence Artifacts:

Phase 6 — Eradication & Hardening (~30 min)¶

Horizon's incident response team, augmented by external cloud security consultants, conducts a comprehensive remediation effort. The focus extends beyond removing the immediate threat to hardening the M365 environment against future OAuth-based attacks.

Evidence Artifacts:

Detection Opportunities¶

KQL Detection Queries¶

// Detect new OAuth app consent grants
AuditLogs
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].displayName)
| extend AppId = tostring(TargetResources[0].id)
| extend UserGranting = tostring(InitiatedBy.user.userPrincipalName)
| extend Permissions = tostring(AdditionalDetails)
| where AppId !in ("known-app-id-1", "known-app-id-2") // allowlisted apps
| project TimeGenerated, UserGranting, AppName, AppId, Permissions
| sort by TimeGenerated desc

// Detect excessive Graph API calls by service principal
AADServicePrincipalSignInLogs
| where ResultType == 0
| summarize APICallCount=count(), DistinctUsers=dcount(ServicePrincipalName) by AppId, AppDisplayName, IPAddress, bin(TimeGenerated, 1h)
| where APICallCount > 500
| extend Alert = strcat("High-volume API activity: ", AppDisplayName, " — ", APICallCount, " calls/hr")

// Detect MailItemsAccessed by non-standard applications
OfficeActivity
| where Operation == "MailItemsAccessed"
| where ClientAppId !in ("known-outlook-appid", "known-mobile-appid")
| summarize MailsAccessed=count(), DistinctUsers=dcount(UserId) by ClientAppId, AppDisplayName=ClientInfoString, bin(TimeGenerated, 1h)
| where MailsAccessed > 100
| extend Alert = "Non-standard app accessing mailbox at high volume"

// Detect consent phishing URLs in email
EmailUrlInfo
| where Url has "login.microsoftonline.com" and Url has "oauth2" and Url has "authorize"
| extend ClientId = extract("client_id=([a-f0-9-]+)", 1, Url)
| where ClientId !in ("known-app-id-1", "known-app-id-2")
| join kind=inner EmailEvents on NetworkMessageId
| project TimeGenerated, SenderFromAddress, RecipientEmailAddress, Subject, ClientId, Url

Splunk (SPL) Detection Queries¶

// OAuth consent grant detection
index=azure sourcetype=azure_audit operationName="Consent to application"
| spath output=app_name path=targetResources{}.displayName
| spath output=app_id path=targetResources{}.id
| spath output=user path=initiatedBy.user.userPrincipalName
| where NOT app_id IN ("known-app-id-1", "known-app-id-2")
| table _time, user, app_name, app_id
| eval alert="New OAuth app consent — investigate if authorized"

// High-volume Graph API access by service principal
index=azure sourcetype=azure_signin loginType="servicePrincipal" resultType=0
| bucket _time span=1h
| stats count as api_calls dc(resourceDisplayName) as resources by appDisplayName, appId, ipAddress, _time
| where api_calls > 500
| eval alert="Excessive API calls from service principal: ".appDisplayName

// MailItemsAccessed by unrecognized app
index=o365 sourcetype=o365_management_activity Operation=MailItemsAccessed
| where NOT ClientAppId IN ("known-outlook-id", "known-mobile-id")
| stats count as items_accessed dc(UserId) as affected_users by ClientAppId, ClientInfoString
| where items_accessed > 100
| eval severity="HIGH"
| eval alert="Unrecognized app accessing mailboxes — possible OAuth token abuse"

// Detect multiple consent grants in short timeframe (campaign indicator)
index=azure sourcetype=azure_audit operationName="Consent to application"
| spath output=app_id path=targetResources{}.displayName
| bucket _time span=4h
| stats dc(initiatedBy.user.userPrincipalName) as consenting_users count as consent_events by app_id, _time
| where consenting_users >= 3
| eval alert="Multiple users consenting to same app — possible consent phishing campaign"

Incident Response Checklist¶

Immediate Actions (0–2 hours)¶

• [ ] Identify all malicious app IDs from Entra ID audit logs
• [ ] Block malicious apps at the enterprise application level in Entra ID
• [ ] Revoke all refresh tokens for affected users (Revoke-AzureADUserAllRefreshToken)
• [ ] Revoke app consent grants for all affected users
• [ ] Disable user-level app consent (switch to admin-only or admin consent workflow)
• [ ] Force re-authentication for all affected users

Short-Term Actions (2–48 hours)¶

• [ ] Audit all enterprise application consent grants across the entire tenant
• [ ] Review Unified Audit Log for data access by malicious apps — determine exfiltration scope
• [ ] Classify all accessed/exfiltrated data by sensitivity (ITAR, PII, financial, privileged)
• [ ] Notify legal counsel — assess regulatory reporting obligations (ITAR, SEC, state breach laws)
• [ ] Check for typosquat domains impersonating the organization
• [ ] Notify external contacts who received phishing from compromised accounts

Long-Term Actions (1–4 weeks)¶

• [ ] Deploy CASB (Microsoft Defender for Cloud Apps or equivalent)
• [ ] Configure real-time app governance alerts
• [ ] Implement conditional access policies for service principal sign-ins
• [ ] Conduct OAuth consent phishing awareness training for all staff
• [ ] Enforce DMARC p=reject for all organizational domains
• [ ] Establish quarterly review of all enterprise app consent grants
• [ ] Implement app verification requirements (verified publisher only)

Lessons Learned¶

What Went Wrong¶

What Went Right¶

ATT&CK Navigator Mapping¶

Related Chapters¶

• Chapter 33 — Identity & Access Security — OAuth 2.0, Entra ID, conditional access, token management
• Chapter 20 — Cloud Attack & Defense — Cloud identity attacks, M365 security, CASB deployment
• Chapter 44 — Web Application Pentesting — OAuth vulnerabilities, consent phishing, application security