LoFP LoFP / developers adding localhost redirect uris for local development environments. ci/cd pipelines updating production redirect uris during deployment. application owners adding redirect uris for new platform support.

Techniques

Sample rules

Entra ID OAuth Application Redirect URI Modified

Description

Identifies modifications to OAuth application redirect URIs (ReplyUrls) in Entra ID. Adding an attacker-controlled redirect URI to an existing trusted application allows interception of OAuth authorization codes when users authenticate through that application’s normal login flow, enabling token theft without requiring a new application registration or consent event.

Detection logic

data_stream.dataset: "azure.auditlogs" and
azure.auditlogs.operation_name: "Update application" and
event.outcome: ("Success" or "success") and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: "AppAddress"