Merge pull request #266 from HackTricks-wiki/update_How_to_detect_and_respond_to_OAuth_consent_attacks_20260304_184649

How to detect and respond to OAuth consent attacks in Google...

Author: carlospolop

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-exchange-hybrid-impersonation.md

@@ -42,6 +42,6 @@ When this technique is abused, audit events can show identity mismatches where t
 
 ## References
 
-- https://www.youtube.com/watch?v=rzfAutv6sB8
+- [https://www.youtube.com/watch?v=rzfAutv6sB8](https://www.youtube.com/watch?v=rzfAutv6sB8)
 
 {{#include ../../../banners/hacktricks-training.md}}

src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md

@@ -165,11 +165,67 @@ Moreover, even not alowing to trust external third-party apps it's possible to a
 
 <figure><img src="../../../images/workspace_oauth.png" alt=""><figcaption></figcaption></figure>
 
+### OAuth Consent Grant Abuse: Detection & Response (Admin Reports)
+
+When a user authorizes an OAuth app, Google Workspace records it in the **Admin Reports OAuth Token Audit Activity** (application name `token`) with `events.name` set to `authorize`. These events are the best telemetry to detect consent phishing and track the client ID and scopes that were granted.
+
+Key fields to extract from the audit event:
+
+- `id.time`, `id.customerId`
+- `actor.email`, `actor.profileId`
+- `ipAddress`, `networkInfo.regionCode`, `networkInfo.subdivisionCode`
+- `events[0]['parameters']` values for `client_id`, `app_name`, `scope`, `scope_data`
+
+**Baseline first (reduce noise):** build an inventory of existing client IDs and scopes, then alert on new/rare consents.
+
+```bash
+gam all users print tokens todrive
+```
+
+**Detection ideas (new/rare app + risky scopes):**
+
+- Alert if a `client_id` is **not in an approved allowlist** and **not seen in the last X days** (e.g., 90).
+- Alert if granted `scope` includes **high-risk or rare** scopes, especially those that allow bulk data access or supply-chain impact, such as:
+- `https://mail.google.com/`
+- `https://www.googleapis.com/auth/gmail.readonly`
+- `https://www.googleapis.com/auth/drive`
+- `https://www.googleapis.com/auth/drive.readonly`
+- `https://www.googleapis.com/auth/chat.messages`
+- `https://www.googleapis.com/auth/chromewebstore`
+
+```text
+client_id NOT IN approved_client_ids
+AND client_id NOT IN last_seen_90d
+AND scope CONTAINS any(high_risk_scopes OR rare_scopes)
+```
+
+**Response / containment:**
+
+- Revoke tokens for the malicious OAuth client ID:
+
+```bash
+gam all users delete tokens clientId <client_id>
+```
+
+- Block the OAuth client ID in the Admin Console by revoking the application’s access to Google data.
+
+**Threat hunting pivots:**
+
+- List external apps consented by fewer than N users (rare adoption).
+- Review app name, publisher, permissions/scopes, and unique application ID.
+- Look for dormant apps that suddenly use risky permissions (possible follow-on actions like internal phishing or data theft).
+
+**Mitigations:**
+
+- Restrict all third-party app access (admin-approved only).
+- Allow limited access so users can only consent to basic “Sign in with Google” profile info.
+
 ## References
 
 - [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
 - [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+- [https://redcanary.com/blog/threat-detection/google-workspace-oauth-attack/](https://redcanary.com/blog/threat-detection/google-workspace-oauth-attack/)
+- [https://github.com/GAM-team/GAM](https://github.com/GAM-team/GAM)
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-