{"id":10487,"date":"2021-04-28T09:00:00","date_gmt":"2021-04-28T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/"},"modified":"2021-04-28T09:00:00","modified_gmt":"2021-04-28T08:00:00","slug":"attack-detection-fundamentals-2021-azure-lab-1","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/","title":{"rendered":"Attack Detection Fundamentals 2021: Azure &#8211; Lab #1"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: Azure &#8211; <span class=\"blue-text\">Lab #1<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Cloud Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Identity security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                28 4\u6708, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    \u30b7\u30a7\u30a2\u3059\u308b                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Azure%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Azure &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research2-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_bc69f30c993c23ae14d8eec0433934fd\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Masande Mtintsilana<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                \u30b3\u30f3\u30c6\u30f3\u30c4\u30ca\u30d3\u30b2\u30fc\u30b7\u30e7\u30f3            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u9078\u629e                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Azure%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Azure &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the final part of WithSecure Consulting&#x27;s Attack Detection Fundamentals workshop series for 2021, we covered a walkthrough of an end-to-end kill chain in Azure.<\/p>\n<p>Beginning with compromising a user account to retrieve service principal credentials, escalating privileges by further credential discovery, and finally moving laterally to a VM in order to access sensitive information.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/www.youtube.com\/watch?v=Uen-gDtPxf4\" target=\"_blank\" rel=\"noopener\">here<\/a>, and the slides <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-4-azure_2021-04-28.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In this lab, we will cover the use of consent phishing to gain access to a victim user&#x27;s email inbox. As Azure AD handles user consents, we will then take a look at the log events generated.<\/p>\n<p>Note: Though Azure AD log events are often quick to be generated, it may take several minutes for the log events to reach your configured Log Analytics Workspace.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>An Azure Subscription suitable for testing purposes;<\/li>\n<li>Terraform;<\/li>\n<li>Azure CLI;<\/li>\n<li><a href=\"https:\/\/github.com\/mdsecactivebreach\/o365-attack-toolkit\" target=\"_blank\" rel=\"noopener\">O365 Attack Toolkit<\/a>;<\/li>\n<li><a href=\"https:\/\/caddyserver.com\/docs\/install#debian-ubuntu-raspbian\" target=\"_blank\" rel=\"noopener\">Caddy<\/a>.<\/li>\n<\/ul>\n<p>Optional<\/p>\n<ul>\n<li>E1, E3 or E5 license (30 day trial licenses are suitable)<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>Lab Environment<\/h3>\n<p>In this lab, we will need several cloud resources to be deployed in order to allow us carry out all offensive and defensive scenarios. Just as in our <a href=\"https:\/\/youtu.be\/JpELEMm9OsY\" target=\"_blank\" rel=\"noopener\">AWS workshop<\/a>, to achieve this we&#x27;ll be using Terraform. Terraform is a popular tool for developing Infrastructure-as-Code and provides us with a means to define, spin up, and teardown environments with ease.<\/p>\n<p>To allow you to follow along with this lab, we&#x27;ve provided a test environment written with Terraform <a href=\"https:\/\/github.com\/loosely-coupled\/Attack-Detection-Fundamentals-2021---Azure-lab-environment\" target=\"_blank\" rel=\"noopener\">here<\/a>. As discussed in the workshop, the primary components of the environment can be seen below.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/attack-vm2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Our Azure environment will be hosted in a single Azure subscription, which will contain the following resources:<\/p>\n<ul>\n<li>Logic Apps;<\/li>\n<li>2 x Azure VMs.<\/li>\n<\/ul>\n<p>The dummy Logic App resource does not perform anything interesting, however it will serve its purpose of demonstrating how poor secret management can exploited.<\/p>\n<p>The &quot;target-vm&quot; represents a &#x27;highly monitored&#x27; VM containing sensitive information and the &quot;attack-vm&quot; will be used to remotely access the target VM.<\/p>\n<p>The Activity Logs of the subscription will be configured to be sent to a Log Analytics Workspace. In addition, all Azure AD log types will be sent to the same Workspace.<\/p>\n<h3>Lab Deployment<\/h3>\n<p>The lab deployment was tested on a Ubuntu 20.04 machine. Ensure that you have authenticated to Azure and have set the current Azure subscription appropriately. As mentioned, this should be set to one that is suitable for testing purposes.<\/p>\n<p>With Terraform installed (tested with 15.0), clone <a href=\"https:\/\/github.com\/loosely-coupled\/Attack-Detection-Fundamentals-2021---Azure-lab-environment\" target=\"_blank\" rel=\"noopener\">this<\/a> project locally, and deploy your environment running the following command:<\/p>\n<pre><code class=\"language-bash\">terraform init\nterraform apply -var=&quot;&lt;tenant name&gt;&quot;<\/code><\/pre>\n<p>Note: Deployment region and resource prefix can be controlled with variables &quot;location=&quot; and &quot;prefix=&quot;, respectively.<\/p>\n<p>After successful deployment, Terraform should output the following information:<\/p>\n<ul>\n<li>Victim user&#x27;s Azure AD username and password;<\/li>\n<li>Attack VM IP, username and password;<\/li>\n<li>Reader service principal credentials;<\/li>\n<li>Contributor service principal credentials.<\/li>\n<\/ul>\n<p>Using the following command, we can output this information.<\/p>\n<pre><code class=\"language-bash\">terraform output -json<\/code><\/pre>\n<p>Note: VM IP address may at times not reflect in Terraform output. In this case, the IP address can be retrieved in the Azure portal.<\/p>\n<p>Setting up logging will be performed manually using the steps below:<\/p>\n<ul>\n<li>Create a <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/logs\/quick-create-workspace\" target=\"_blank\" rel=\"noopener\">log analytics workspace<\/a>;<\/li>\n<li>Send <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/essentials\/quick-collect-activity-log-portal#create-diagnostic-setting\" target=\"_blank\" rel=\"noopener\">Subscription Activity Logs to Log Analytics Workspace<\/a>;<\/li>\n<li>Send <a href=\"http:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/reports-monitoring\/howto-integrate-activity-logs-with-log-analytics#send-logs-to-azure-monitor\" target=\"_blank\" rel=\"noopener\">AAD Logs to Log Analytics workspace<\/a>.<\/li>\n<\/ul>\n<p>Optional Mailbox Setup<\/p>\n<p>As an optional setup, we can assign our victim a license to activate an Exchange Online mailbox. In the Microsoft 365 Admin Center, under &quot;Billing&quot; -&gt; &quot;Licenses&quot; assign the victim user a license.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/license.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Once this has been configured, we can send the victim an email containing plain-text credentials as seen below:<\/p>\n<pre><code class=\"language-bash\">## Do not share with anyone\n$clientid = &quot;&lt;reader service principal name&gt;&quot;\n$secret - &quot;&lt;reader service principal secret&gt;&quot;<\/code><\/pre>\n<p>This is not essential, as we will still be able to complete the labs without it, but offers more realistic demonstration.<\/p>\n<h3>O365 Attack Toolkit Setup<\/h3>\n<p>After installing the O365 attack toolkit, we also need to configure it. The toolkit requires the use of an Azure AD registered application. However, <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/azure-active-directory-identity\/publisher-verification-and-app-consent-policies-are-now\/ba-p\/1257374\" target=\"_blank\" rel=\"noopener\">As of 8th November 2020<\/a> Microsoft require you to be a &quot;verified publisher&quot; if you want to create multi-tenant applications. A workaround to this is to use an existing unused application that has been created before this date.<\/p>\n<p>Create a set of credentials for this Azure AD application in the portal, by going to Azure Active Directory -&gt; App Registrations -&gt; (select Azure AD Application).<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/client-secret.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>While still under &quot;App Registration&quot; we will then need to configure the application as a &quot;multi-tenant&quot; application, and supply a redirect URL. This is the redirect URL of where you will be running the attack toolkit. If the attack toolkit will be accessible on localhost, use the URL &quot;http:\/\/localhost\/gettoken&quot;, otherwise use &quot;https:\/\/&lt;ip address&gt;\/gettoken&quot;<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/new-redirect-url.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>With the Azure AD Application configured, we can now populate the configuration file template.conf for the toolkit. Use the client ID, secret, and redirect URL that was used above.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/template-conf.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The toolkit can then be started using .\/o365-attack-toolkit<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/toolkit-start.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Note that the IP and port for the &quot;internal server&quot; will host the management interface, and the &quot;external server&quot; will host the external redirector.<\/p>\n<p>As Microsoft requires Redirect URLs to use HTTPS if the hostname is not &quot;localhost&quot;, for demonstration purposes we can setup a HTTPS reverse proxy for the non-localhost case. This can be done simply using Caddy, with the following Caddyfile configuration.<\/p>\n<pre><code class=\"language-bash\">&lt;IP address&gt;\nreverse_proxy 127.0.0.1:30662<\/code><\/pre>\n<p>The IP address represents a network accessible address from your victim&#x27;s machine. Caddy can be started with<\/p>\n<pre><code class=\"language-bash\">sudo caddy run<\/code><\/pre>\n<h3>Consent Phishing<\/h3>\n<p>Hopefully you now have the lab setup complete! So let&#x27;s start the o365 attack toolkit.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/start-toolkit.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>With the toolkit up and running, we can visit the management interface to generate the link to send to our victim.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/get-url2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Optional Setup<\/p>\n<p>As an optional step, we can craft an email which includes our link that will be sent to the victim.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/optional-email.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>In the target user&#x27;s inbox, we will receive the email. While logged in at https:\/\/portal.azure.com as our victim user, clicking on the link generated by the toolkit will take us to the Azure AD consent screen, as shown below.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/consent-screen.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Selecting &quot;Accept&quot; will grant our application permission to access everything the user has access to, be it SharePoint, OneDrive, or Exchange Online.<\/p>\n<p>If you have followed the optional steps above, we can use the toolkit to search through the user&#x27;s mailbox for strings that may indicate credentials (e.g. &quot;secret&quot;, &quot;password&quot;). Otherwise we will directly use the Reader role service principal, which is part of the terraform output, in the upcoming <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-azure-lab-2\/\" target=\"_blank\" rel=\"noopener\">Lab 2<\/a>.<\/p>\n<h2>Detection<\/h2>\n<p>All the activities performed during our consent phishing attack results in changes in Azure AD, and as such, we can explore the Azure AD logs to better understand what log information these activities generated.<\/p>\n<p>In the Azure portal, search for &quot;Log Analytics Workspace&quot; ans select the workspace directed. Navigate to the Query screen by going to &quot;General&quot; -&gt; &quot;Logs&quot;, and within the Query window use the search query below:<\/p>\n<pre><code class=\"language-kusto\">AuditLogs\n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == &quot;&lt;UPN of user&gt;&quot;<\/code><\/pre>\n<p>This will return Azure AD Audit logs shown below.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/aad-audit-logs.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>In the screenshot above, we can see the changes made in Azure AD by our user &quot;Sidney Grey&quot; during the consent phish. Four main events are generated:<\/p>\n<ul>\n<li>Add Service Principal &#8211; O365 toolkit Service Principal is added to the victim&#x27;s tenant;<\/li>\n<li>Delegate Permission Grant &#8211; Application is assigned permission to access Exchange, SharePoint, etc;<\/li>\n<li>Add App Role Assignment &#8211; User is assigned role defined by the application;<\/li>\n<li>Consent to Application &#8211; Event indicating a user has consented to an application.<\/li>\n<\/ul>\n<p>Drilling down to the second event &quot;Delegate Permission Grant&quot;, we can see the specific permissions delegated to the toolkit by the user. These include:<\/p>\n<ul>\n<li>Mail.Read &#8211; Provides permissions to read emails on user&#x27;s behalf;<\/li>\n<li>Mail.Send &#8211; Provides permissions to send emails on user&#x27;s behalf;<\/li>\n<li>File.ReadWrite &#8211; Provides permission to read and write files that our user can access (e.g. SharePoint);<\/li>\n<li>offline_access &#8211; Toolkit can access resources for an extended period of time.<\/li>\n<\/ul>\n<p>As these are considered sensitive, logs indicating the granting of these permissions can provide useful insights into potential threats within your environment.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this lab, we have looked at setting up our environment and then using consent phishing to get delegated access to our victim&#x27;s mailbox and other M365 services. This provided us with permissions to search for credentials and other sensitive information.<\/p>\n<p>We then took a look at our Log Analytics Workspace to understand the log events generated in Azure AD and highlighted some useful permissions to keep an eye on, as they offer privileged access to organisational data.<\/p>\n<p>In the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-azure-lab-2\/\" target=\"_blank\" rel=\"noopener\">next lab<\/a>, we will use a set of &#x27;discovered&#x27; credentials to further escalate our privileges, broadening our reach in the Azure environment.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Azure%20&#8211;%20Lab%20#1\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Linkedin\u3067\u5171\u6709\u3059\u308b\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Azure &#8211; Lab #1&#038;url=https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"\u30c4\u30a4\u30c3\u30bf\u30fc\u3067\u5171\u6709\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/darkgate-rises\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/reverse-engineering-a-lumma-infection\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/machine-learning-driven-malware-analysis\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In this lab, we will cover the use of consent phishing to gain access to a victim user&#8217;s email inbox. As Azure AD handles user consents, we will then take a look at the log events generated.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[314,385,353],"labs_content_type":[317],"class_list":["post-10487","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-cloud-security","category-identity-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/\u30e9\u30dc<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Cloud Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Identity security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: Azure &#8211; Lab #1<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In this lab, we will cover the use of consent phishing to gain access to a victim user&#039;s email inbox. As Azure AD handles user consents, we will then take a look at the log events generated.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-1\/\">\u3082\u3063\u3068\u8aad\u3080<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10487"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}