M365 Attack Chain: Why Your Microsoft 365 Breach Model Is Wrong

(00:00:00) Mission Briefing: Protecting Against Tenant Breaches (00:00:41) The Enemy's Tactics: Consent Phishing and Token Theft (00:04:35) The Attack Chain: From Consent to Token Abuse (00:06:22) Detecting and Preventing Consent Phishing (00:14:41) Lateral Movement: From Mailbox to SharePoint (00:17:23) Exfiltration and Data Theft (00:20:26) Implementing Effective Defenses (00:26:01) Closing Remarks and Key Takeaways In this episode of M365.fm, Mirko Peters walks through a real‑world style Microsoft 365 breach where attackers combine consent phishing, AiTM token theft, and OAuth abuse to bypass MFA, replay stolen cookies, and quietly live off the land with Microsoft Graph.WHAT YOU WILL LEARNWhy perimeter defense and “just add MFA” are lies in modern Microsoft 365 attacksHow consent phishing, AiTM kits, and multi‑tenant OAuth apps work together to hijack identity and sessionsWhich Entra ID audit and sign‑in events actually matter: “Consent to application”, “ServicePrincipal created”, “AppRoleAssignedTo”, and risky sign‑ins with “requirements satisfied” via cookiesHow attackers use offline_access, refresh tokens, mailbox rules, and scope creep for long‑term persistenceHow Graph, Exchange, and SharePoint telemetry expose mailbox hijack, SharePoint theft, and OAuth‑based exfiltrationConcrete Sentinel/KQL detection ideas for malicious app consent, token replay, mailbox rule abuse, and Graph exfiltrationThe one policy family that breaks this entire attack chain: consent control and token protectionTHE CORE INSIGHTMost Microsoft 365 breach models still obsess over passwords, URLs, and endpoints. Modern attackers don’t fight your MFA; they reuse your sessions and register their own apps.The real M365 attack chain is not “phish → malware → lateral movement”, but “consent → token → Graph”: steal a cookie, gain app consent, escalate scopes, and drain data under the cover of normal cloud traffic.This episode argues that if you’re not governing consent, protecting tokens, and watching service principals, you don’t have a modern M365 defense — you have a firewall nostalgia project.WHY YOUR CURRENT M365 ATTACK MODEL IS WRONGIt assumes the front door is the login page, not the consent screen and device code flowsIt treats OAuth apps and service principals as background plumbing, not as first‑class actors in attacksIt focuses on password theft, not on session replay, refresh tokens, and offline_access scopesIt ignores that most of the critical telemetry already exists in Entra ID, Exchange, SharePoint, and Graph — just without tuned detectionsWHAT YOU’LL TAKE AWAY IN PRACTICEA step‑by‑step picture of the M365 attack chain: from AiTM phish to malicious app consent to Graph‑driven exfiltrationConcrete Entra and Exchange events to hunt for, plus example Sentinel/KQL patterns to operationalize themA consent hardening plan: disabling broad user consent, enforcing admin workflows, and using verified publishers and low‑risk scopesToken and session defenses: Token Protection, risk‑based Conditional Access, and revocation practices that make stolen cookies worthlessWHO THIS EPISODE IS FORThis episode is essential for Microsoft 365 security engineers, identity architects, SOC analysts, and cloud security leaders who own Entra ID, Exchange Online, SharePoint, and Sentinel.If your threat model still starts with “user clicks malicious link” and ends with “EDR catches malware,” this conversation will give you a new, identity‑ and consent‑centric view of how M365 actually gets breached.ABOUT THE HOSTMirko Peters is a Microsoft 365 consultant and digital workplace architect focused on building identity‑first, attack‑aware security architectures on the Microsoft cloud.Through M365.fm, Mirko shares real‑world breach patterns, KQL approaches, and governance models that help security teams move from perimeter stories to the true Microsoft 365 attack chain.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.