General

This check looks for the presence of applications known to be used by cybercriminals.

Credits

The threat intelligence for this check is based on the information from this GitHub repository by Huntress.

Rationale

Registered Applications in Microsoft 365 provide a relatively inconspicuous way for attackers to maintain long-term access to an environment. Investigations into cyber incidents such as Business Email Compromise (or CEO/Payment fraud) show that these kinds of apps are popular and often feature in the modus operandi of cybercriminals. 

Attic Fix

A fix is available for this check! It will be offered via a ticket in Attic, after which you can accept it.

Manual instruction

Follow these steps to adjust the setting:

1. Check whether the use of the app by the user in question is legitimate
   1. If not: consider the account compromised, revoke all sessions, disable it, and investigate potential abuse before re-enabling it.
   2. If so: add the app to ignored apps in the Attic configuration so that no new alerts are triggered.

More information

1. https://huntresslabs.github.io/rogueapps/