ConsentStorm Lab

On January 21, 2026, the Security Operations Center (SOC) at NexGen Energy received alerts indicating suspicious activity within their Microsoft Entra ID and Azure environment.The incident appears to have started when an employee in the Finance department received what looked like a legitimate email from a colleague. After interacting with the email, unusual OAuth consent activity and unauthorized access patterns were detected across multiple accounts and Azure resources.Initial triage suggests the attacker gained access to sensitive cloud resources, pivoted through multiple accounts, and potentially accessed confidential financial data. Threat intelligence indicates the TTPs may be associated with a known APT...