The Midnight OAuth

2-3 hours Modules: M15, M9, M10, M6

Incident Brief

Incident ID: SC-2026-04-001 Date/Time: Tuesday, 08 April 2026, 02:17 UTC Alert Source: Microsoft Sentinel — Custom analytics rule “Consent to application from non-corporate IP” Assigned to: You

At 02:17 UTC, a Sentinel analytics rule triggered: four users consented to an application named “DocuSign Integration Service” within a 90-minute window. All four consents originated from non-corporate IP addresses. The application requests the following permissions: Mail.ReadWrite, Files.Read.All, User.Read.

The SOC lead assigns you the investigation. The four users are:

User	Department	Consent Time (UTC)	IP Address
s.chen@northgateeng.com	IT	02:17	198.51.100.44
r.williams@northgateeng.com	Engineering	02:31	198.51.100.44
j.morrison@northgateeng.com	Finance	02:48	198.51.100.51
a.patel@northgateeng.com	Accounts Payable	03:02	198.51.100.51

No user has reported anything suspicious. The consent alert was the only detection.

Your Investigation

Answer each question with supporting KQL evidence. Document your reasoning — not just the answer.

Phase 1: Application Assessment

Question 1. Is “DocuSign Integration Service” a legitimate Microsoft-verified application, or is it attacker-controlled? What evidence supports your conclusion?

Hint

Check the application registration: is the publisher verified? When was it registered? Is it in your tenant or an external tenant? The AuditLogs table and the Entra ID Enterprise Applications blade provide this data.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
// Starting query: find the application details from consent events
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Consent to application"
| where tostring(TargetResources[0].displayName) == "DocuSign Integration Service"
| extend AppId = tostring(TargetResources[0].id)
| extend ConsentUser = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| extend Permissions = tostring(TargetResources[0].modifiedProperties)
| project TimeGenerated, ConsentUser, AppId, IPAddress, Permissions

Question 2. The application requests Mail.ReadWrite, Files.Read.All, and User.Read. Using the permission risk scoring from Module 15.3, what is the risk score for this application? Which permission is the highest concern and why?

Question 3. Two different IPs were used (198.51.100.44 and 198.51.100.51). Are these from the same infrastructure? What does the ASN tell you?

Phase 2: Delivery Mechanism

Question 4. How were the four users directed to the consent prompt? Find the phishing email.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// Starting query: search for emails to the consenting users around the consent time
EmailEvents
| where TimeGenerated between(datetime(2026-04-07T22:00:00Z) .. datetime(2026-04-08T04:00:00Z))
| where RecipientEmailAddress in (
    "s.chen@northgateeng.com",
    "r.williams@northgateeng.com",
    "j.morrison@northgateeng.com",
    "a.patel@northgateeng.com")
| project TimeGenerated, SenderFromAddress, SenderFromDomain,
    RecipientEmailAddress, Subject, DeliveryAction
| order by TimeGenerated asc

Question 5. Did the phishing email reach only these four users, or were additional users targeted? How many total recipients? How many did NOT consent?

Phase 3: Data Exposure

Question 6. Has the application actually accessed any data since consent? Check the service principal sign-in logs.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// Starting query: application activity since consent
AADServicePrincipalSignInLogs
| where TimeGenerated > datetime(2026-04-08T02:00:00Z)
| where AppId == "APP-ID-FROM-QUESTION-1"
| where ResultType == "0"
| summarize
    AccessCount = count(),
    FirstAccess = min(TimeGenerated),
    LastAccess = max(TimeGenerated),
    Resources = make_set(ResourceDisplayName, 10),
    IPs = make_set(IPAddress, 5)

Question 7. For each of the four users: estimate the data exposure. How many emails were accessed? Were any files accessed? Build a per-user exposure table.

Phase 4: Containment and Response

Question 8. Write the containment sequence. In what order do you execute the following actions, and why does the order matter?

Revoke user tokens
Delete the enterprise application
Reset user passwords
Block the phishing sender domain
Notify the four users

Question 9. After containment: what detection rule would you deploy to catch this pattern earlier next time? Write the KQL.

Question 10. Draft the executive summary for this incident (5 sentences maximum). Use the template from Module 12.11.

Solution

Click to reveal the full solution walkthrough

Solution walkthrough

Q1: Application legitimacy. The application “DocuSign Integration Service” is NOT the legitimate DocuSign application. Evidence: the AppId does not match DocuSign’s known registered application IDs. The publisher is unverified. The application was registered in an external tenant within the last 7 days. The legitimate DocuSign application is publisher-verified and has a well-known AppId. This is a social engineering attack — the attacker named their application to mimic a trusted brand.

Q2: Risk score. Mail.ReadWrite = 3 (Critical). Files.Read.All = 3 (Critical). User.Read = 0 (Low). Bulk consent (4 users in 90 min) = +4. Non-corporate IP = +1. Total: 11 (High — investigate immediately). Mail.ReadWrite is the highest concern: it grants the application the ability to read AND modify email — including deleting evidence of the phishing campaign.

Q3: IP analysis. Both IPs (198.51.100.44 and 198.51.100.51) are in the same /24 range, suggesting shared hosting infrastructure. Query the ASN: they belong to a cloud hosting provider, not a legitimate corporate network. The attacker used two IPs from the same provider — likely two VPS instances.

Q4: Phishing email. An email with subject “Action Required: Authorise DocuSign Integration” was sent from noreply@docusign-integration-service.com — a lookalike domain. The email directed users to a legitimate Microsoft consent prompt URL with the attacker’s application pre-loaded.

Q5: Campaign scope. The email was sent to 12 users across Finance, IT, and Engineering. 4 consented (the alert). 8 received but did not consent. 0 were blocked by email protection (the email contained a legitimate microsoft.com URL, so Safe Links did not flag it).

Q6-7: Data exposure. The application authenticated immediately after each consent. Exchange Online was accessed for all 4 users. j.morrison (Finance): 127 emails accessed. a.patel (Accounts Payable): 94 emails accessed. s.chen (IT): 43 emails accessed. r.williams (Engineering): 31 emails accessed. No SharePoint files were accessed (Files.Read.All permission was granted but not yet used).

Q8: Containment sequence. 1) Delete the enterprise application (immediately stops all application access for all 4 users — single action, maximum impact). 2) Block the phishing sender domain (prevents additional waves). 3) Reset passwords (the consent was not credential-based, but reset as precaution). 4) Revoke tokens (in case the attacker also captured credentials). 5) Notify users (after containment is complete — not before, to avoid alerting the attacker if any user forwards the notification). Order matters: deleting the application is the single action that revokes ALL OAuth access immediately. Password reset and token revocation address potential credential compromise. Notification comes last.

Q9: Detection rule.

1
2
3
4
5
6
7
8
9
// Consent from non-corporate IP with high-risk permissions
AuditLogs
| where OperationName == "Consent to application"
| where Result == "success"
| extend ConsentUser = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| extend Permissions = tostring(TargetResources[0].modifiedProperties)
| where IPAddress !in (_GetWatchlist('CorporateExternalIPs') | project SearchKey)
| where Permissions has_any ("Mail.ReadWrite", "Mail.Send", "Files.ReadWrite.All")

Q10: Executive summary. “On 8 April 2026, four Northgate Engineering employees consented to a malicious OAuth application disguised as a DocuSign integration, granting it access to read and modify their email. The application was delivered via a phishing email targeting 12 users across Finance, IT, and Engineering. The application accessed approximately 295 emails before detection and revocation. No financial fraud or data exfiltration has been confirmed. The application has been deleted, affected users notified, and a detection rule deployed to prevent recurrence.”

← All Challenges