High Severity

Suspicious Office 365 app authorization (OAuth) link

Labels

Description

Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or was stood up for malicious purposes. Once the app has been authorized, the attacker will have read or write permissions to the user's Office 365 account.

References

https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset

Sublime Security

Created Aug 17th, 2023 • Last updated Jun 5th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  // links in email body
  any(body.links,
      .href_url.domain.domain == 'login.microsoftonline.com'
      and (
        strings.ilike(.href_url.query_params,
                      '*offline_access*',
                      '*.readwrite*',
                      '*.read*',
                      '*ctx=*',
                      '*prompt=none*'
        )
        or (
          strings.icontains(.href_url.path, '/common/reprocess')
          and strings.icontains(.href_url.query_params, 'ctx=')
          and strings.icontains(.href_url.query_params, 'sessionId=')
        )
      )
  )
  // links in PDF, HTML, DOCX and PPTX attachments
  or any(filter(attachments, .file_type in ("pdf", "html", "docx", "pptx")),
         any(file.explode(.),
             any(.scan.url.urls,
                 .domain.domain == 'login.microsoftonline.com'
                 and (
                   strings.ilike(.query_params,
                                 '*offline_access*',
                                 '*.readwrite*',
                                 '*.read*',
                                 '*ctx=*',
                                 '*prompt=none*'
                   )
                   or (
                     strings.icontains(.path, '/common/reprocess')
                     and strings.icontains(.query_params, 'ctx=')
                     and strings.icontains(.query_params, 'sessionId=')
                   )
                 )
             )
         )
  )
  or any(attachments,
         (
           .file_type == "ics"
           or .file_extension == "ics"
           or .content_type in ("application/ics", "text/calendar")
         )
         //
         // This rule makes use of a beta feature and is subject to change without notice
         // using the beta feature in custom rules is not suggested until it has been formally released
         //
         and any(beta.file.parse_ics(.).events,
                 any(.links,
                     .href_url.domain.domain == 'login.microsoftonline.com'
                     and (
                       strings.ilike(.href_url.query_params,
                                     '*offline_access*',
                                     '*.readwrite*',
                                     '*.read*',
                                     '*ctx=*',
                                     '*prompt=none*'
                       )
                       or (
                         strings.icontains(.href_url.path, '/common/reprocess')
                         and strings.icontains(.href_url.query_params, 'ctx=')
                         and strings.icontains(.href_url.query_params,
                                               'sessionId='
                         )
                       )
                     )
                 )
         )
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.