<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>TTPs on IAMDevBox</title><link>https://www.iamdevbox.com/tags/ttps/</link><description>Recent content in TTPs on IAMDevBox</description><image><title>IAMDevBox</title><url>https://www.iamdevbox.com/IAMDevBox.com.jpg</url><link>https://www.iamdevbox.com/IAMDevBox.com.jpg</link></image><generator>Hugo -- 0.146.0</generator><language>en-us</language><lastBuildDate>Fri, 17 Jul 2026 15:17:19 +0000</lastBuildDate><atom:link href="https://www.iamdevbox.com/tags/ttps/index.xml" rel="self" type="application/rss+xml"/><item><title>3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs</title><link>https://www.iamdevbox.com/posts/3-oauth-ttps-seen-this-month-and-how-to-detect-them-with-entra-id-logs/</link><pubDate>Fri, 17 Jul 2026 15:17:14 +0000</pubDate><guid>https://www.iamdevbox.com/posts/3-oauth-ttps-seen-this-month-and-how-to-detect-them-with-entra-id-logs/</guid><description>Discover the latest OAuth TTPs and learn how to detect them using Entra ID logs. Protect your applications from attacks with practical security measures.</description><content:encoded><![CDATA[<p>OAuth 2.0 is a widely used authorization framework that enables third-party applications to access user resources without exposing credentials. However, like any technology, it is susceptible to various threats. In this post, I’ll walk you through three OAuth Threat Tactics, Techniques, and Procedures (TTPs) that I’ve seen this month and how to detect them using Entra ID logs.</p>
<h2 id="what-are-ttps-in-the-context-of-oauth">What are TTPs in the context of OAuth?</h2>
<p>TTPs, or Threat Tactics, Techniques, and Procedures, are the methods attackers use to exploit OAuth vulnerabilities. Understanding these TTPs is crucial for implementing effective security measures and protecting your applications.</p>
<h2 id="what-is-authorization-code-injection">What is authorization code injection?</h2>
<p>Authorization code injection is a technique where an attacker intercepts the authorization code returned by the authorization server and uses it to obtain an access token. This allows the attacker to gain unauthorized access to the user’s resources.</p>
<h3 id="how-does-authorization-code-injection-work">How does authorization code injection work?</h3>
<ol>
<li>The attacker tricks the user into visiting a malicious website that looks legitimate.</li>
<li>The malicious site redirects the user to the authorization server with a crafted redirect URI.</li>
<li>The user authenticates and authorizes the malicious site, which receives an authorization code.</li>
<li>The attacker intercepts the authorization code and uses it to request an access token from the authorization server.</li>
<li>The attacker now has access to the user’s resources.</li>
</ol>
<h3 id="example-of-authorization-code-injection">Example of authorization code injection</h3>
<p>Here’s a simplified example of how an attacker might attempt to inject an authorization code:</p>
<div class="mermaid">

sequenceDiagram
    participant User
    participant MaliciousSite
    participant AuthServer
    participant ResourceServer

    User->>MaliciousSite: Visit malicious site
    MaliciousSite->>AuthServer: Redirect User with crafted URI
    AuthServer->>User: Authorization page
    User->>AuthServer: Authenticate and authorize
    AuthServer->>MaliciousSite: Authorization code
    MaliciousSite->>AuthServer: Request access token with code
    AuthServer->>MaliciousSite: Access token
    MaliciousSite->>ResourceServer: Access user resources

</div>

<h3 id="how-to-detect-authorization-code-injection-with-entra-id-logs">How to detect authorization code injection with Entra ID logs</h3>
<p>To detect authorization code injection, monitor Entra ID logs for unusual patterns, such as:</p>
<ul>
<li>Multiple failed token requests from the same IP address.</li>
<li>Token requests with suspicious redirect URIs.</li>
<li>Unusual spikes in token issuance.</li>
</ul>
<p>Here’s an example of how you might query Entra ID logs for suspicious activity:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e"># Query Entra ID logs for failed token requests</span>
</span></span><span style="display:flex;"><span>Get-AzureADAuditSignInLogs -Filter <span style="color:#e6db74">&#34;Status.ErrorCode eq &#39;50053&#39;&#34;</span>
</span></span></code></pre></div><div class="notice warning">⚠️ <strong>Warning:</strong> Always validate redirect URIs to ensure they match expected values.</div>
<div class="key-takeaway">
<h4>🎯 Key Takeaways</h4>
<ul>
<li>Authorization code injection involves intercepting authorization codes to obtain access tokens.</li>
<li>Monitor Entra ID logs for suspicious token requests and redirect URIs.</li>
<li>Validate redirect URIs to prevent injection attacks.</li>
</ul>
</div>
<h2 id="what-is-token-theft">What is token theft?</h2>
<p>Token theft occurs when an attacker gains unauthorized access to an access token, allowing them to impersonate a user or service. This can happen through various means, such as session hijacking or man-in-the-middle attacks.</p>
<h3 id="how-does-token-theft-work">How does token theft work?</h3>
<ol>
<li>The attacker intercepts an access token during a legitimate transaction.</li>
<li>The attacker uses the stolen token to make requests to the resource server.</li>
<li>The resource server validates the token and grants access to the attacker.</li>
</ol>
<h3 id="example-of-token-theft">Example of token theft</h3>
<p>Here’s a simple example of how token theft might occur:</p>
<div class="mermaid">

sequenceDiagram
    participant User
    participant App
    participant AuthServer
    participant ResourceServer
    participant Attacker

    User->>App: Login
    App->>AuthServer: Auth Request
    AuthServer-->>App: Token
    App-->>User: Success
    App->>ResourceServer: Access request with token
    Attacker->>App: Intercept token
    Attacker->>ResourceServer: Access request with stolen token
    ResourceServer-->>Attacker: Grant access

</div>

<h3 id="how-to-detect-token-theft-with-entra-id-logs">How to detect token theft with Entra ID logs</h3>
<p>To detect token theft, look for signs of unauthorized access in Entra ID logs, such as:</p>
<ul>
<li>Unusual access patterns from unfamiliar locations or devices.</li>
<li>Multiple access requests from the same token within a short period.</li>
<li>Failed access attempts followed by successful ones using the same token.</li>
</ul>
<p>Here’s an example of querying Entra ID logs for suspicious access patterns:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e"># Query Entra ID logs for access patterns</span>
</span></span><span style="display:flex;"><span>Get-AzureADAuditSignInLogs -Filter <span style="color:#e6db74">&#34;Location.City ne &#39;ExpectedCity&#39;&#34;</span>
</span></span></code></pre></div><div class="notice danger">🚨 <strong>Security Alert:</strong> Implement strong encryption and secure storage for tokens to prevent theft.</div>
<div class="key-takeaway">
<h4>🎯 Key Takeaways</h4>
<ul>
<li>Token theft involves intercepting and using access tokens to gain unauthorized access.</li>
<li>Monitor Entra ID logs for unusual access patterns and unauthorized token usage.</li>
<li>Use encryption and secure storage to protect tokens.</li>
</ul>
</div>
<h2 id="what-is-client-credential-misuse">What is client credential misuse?</h2>
<p>Client credential misuse occurs when an attacker obtains the client credentials (client ID and client secret) and uses them to request access tokens. This allows the attacker to perform actions on behalf of the client application.</p>
<h3 id="how-does-client-credential-misuse-work">How does client credential misuse work?</h3>
<ol>
<li>The attacker steals the client credentials from a compromised system.</li>
<li>The attacker uses the client credentials to request an access token from the authorization server.</li>
<li>The authorization server issues an access token based on the client credentials.</li>
<li>The attacker uses the access token to access protected resources.</li>
</ol>
<h3 id="example-of-client-credential-misuse">Example of client credential misuse</h3>
<p>Here’s a simple example of how client credential misuse might occur:</p>
<div class="mermaid">

sequenceDiagram
    participant Attacker
    participant AuthServer
    participant ResourceServer

    Attacker->>AuthServer: Request token with stolen client credentials
    AuthServer-->>Attacker: Access token
    Attacker->>ResourceServer: Access request with token
    ResourceServer-->>Attacker: Grant access

</div>

<h3 id="how-to-detect-client-credential-misuse-with-entra-id-logs">How to detect client credential misuse with Entra ID logs</h3>
<p>To detect client credential misuse, monitor Entra ID logs for signs of unauthorized token requests, such as:</p>
<ul>
<li>Token requests from unfamiliar IP addresses or locations.</li>
<li>Multiple token requests within a short period.</li>
<li>Token requests for scopes that the client does not typically request.</li>
</ul>
<p>Here’s an example of querying Entra ID logs for suspicious token requests:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e"># Query Entra ID logs for suspicious token requests</span>
</span></span><span style="display:flex;"><span>Get-AzureADAuditSignInLogs -Filter <span style="color:#e6db74">&#34;IPAddress ne &#39;ExpectedIP&#39;&#34;</span>
</span></span></code></pre></div><div class="notice info">💡 <strong>Key Point:</strong> Regularly rotate client secrets and limit their permissions to minimize the risk of misuse.</div>
<div class="key-takeaway">
<h4>🎯 Key Takeaways</h4>
<ul>
<li>Client credential misuse involves using stolen client credentials to request access tokens.</li>
<li>Monitor Entra ID logs for suspicious token requests and unauthorized access.</li>
<li>Rotate client secrets and limit permissions to reduce risk.</li>
</ul>
</div>
<h2 id="how-to-implement-robust-oauth-security-with-entra-id">How to implement robust OAuth security with Entra ID</h2>
<p>To protect your applications from OAuth TTPs, implement the following best practices:</p>
<ol>
<li>
<p><strong>Use HTTPS</strong>: Ensure all communications between the client, authorization server, and resource server use HTTPS to prevent interception.</p>
</li>
<li>
<p><strong>Validate Redirect URIs</strong>: Always validate redirect URIs to ensure they match expected values.</p>
</li>
<li>
<p><strong>Limit Token Scopes</strong>: Request only the necessary scopes for your application to minimize potential damage from token theft.</p>
</li>
<li>
<p><strong>Regularly Rotate Secrets</strong>: Change client secrets regularly and store them securely to prevent misuse.</p>
</li>
<li>
<p><strong>Monitor and Log Activity</strong>: Continuously monitor Entra ID logs for suspicious activity and set up alerts for potential threats.</p>
</li>
<li>
<p><strong>Implement Multi-Factor Authentication (MFA)</strong>: Use MFA to add an additional layer of security for user authentication.</p>
</li>
<li>
<p><strong>Use PKCE for SPAs</strong>: Implement Proof Key for Code Exchange (PKCE) in Single Page Applications (SPAs) to prevent authorization code interception.</p>
</li>
</ol>
<h3 id="quick-reference">Quick Reference</h3>
<h4>📋 Quick Reference</h4>
<ul>
<li><code>Use HTTPS</code> - Secure all communications.</li>
<li><code>Validate Redirect URIs</code> - Match expected values.</li>
<li><code>Limit Token Scopes</code> - Request only necessary scopes.</li>
<li><code>Rotate Secrets</code> - Change client secrets regularly.</li>
<li><code>Monitor Logs</code> - Set up alerts for suspicious activity.</li>
<li><code>Implement MFA</code> - Add an additional authentication layer.</li>
<li><code>Use PKCE</code> - Prevent authorization code interception in SPAs.</li>
</ul>
<div class="notice tip">💜 <strong>Pro Tip:</strong> Regularly review and update your OAuth configurations to adapt to new threats.</div>
<h2 id="conclusion">Conclusion</h2>
<p>Protecting your applications from OAuth TTPs requires a proactive approach to security. By understanding the latest threats and leveraging Entra ID logs, you can detect and mitigate attacks effectively. Stay vigilant, and continuously improve your security posture to safeguard your users and data.</p>
<p>That&rsquo;s it. Simple, secure, works.</p>
]]></content:encoded></item></channel></rss>