By rssfeeds-admin 
In this case, attackers have leveraged the legitimate ChatGPT application to exploit OAuth permissions, granting unauthorized access to user email accounts.
This breach highlights the importance of properly managing OAuth consent and the risks of third-party applications gaining excessive access to user data.
The attack scenario begins when an employee, adds the ChatGPT service principal to their Entra ID tenant and consents to OAuth permissions that allow access to their email (Mail.Read) and other user data (offline_access, profile, openid).
This action occurs via a legitimate OpenAI application, which poses as a trusted service but, in this case, was abused by the attacker. The user grants the application permission, unknowingly allowing the attacker access to sensitive email data.
The key risk lies in the Mail permission request. Read a scope frequently exploited by attackers to steal email data. The attack exploited this legitimate request, resulting in unauthorized access to the victim’s email account.
The investigation prompted a review of the logs and event correlation, with particular attention to the service principal added (ChatGPT) and the specific OAuth permissions granted.
How The Attack Unfolds
- Initial Consent: The attacker manipulates the target user into granting the ChatGPT application permissions, such as Mail. Read and offline_access. This is done by posing the app as a legitimate third-party tool. Once consent is given, the attacker gains access to the user’s email account.
- Tracking Consent Events: Key log data, such as the AuditLogs and Consent to application events, provides crucial insights. These logs show when the user granted ChatGPT permission and which specific OAuth permissions they consented to, including Mail. Read. The event also logs the IP address, indicating that the attacker accessed the system remotely.
- Monitoring Application Behavior: Red Canary’s telemetry analysis tracks the communication between the victim’s system and attacker-controlled servers. This helps correlate activities and detect suspicious behavior in the application, such as unexpected access requests and connection attempts.
- Data Exfiltration: Once ChatGPT is granted the necessary permissions, the attacker can access sensitive email data and potentially exfiltrate it for malicious purposes. The data is then uploaded to an attacker-controlled infrastructure, where it can be used for further exploitation.
Detection and Mitigation
Redcanary said, to mitigate this type of OAuth attack, it’s essential to monitor for suspicious application permissions and third-party service principals.
OAuth attacks leveraging applications like ChatGPT are a growing threat within organizations, particularly when employees are targeted and coerced into granting unauthorized permissions.
By enhancing monitoring and enforcing strict consent policies, organizations can better protect themselves against such attacks and limit the damage from unauthorized data access.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Use ChatGPT In OAuth Attacks To Breach Entra ID and Access Emails appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.