According to the Microsoft Security Intelligence team, Office 365 customers have reportedly been receiving phishing emails meant to fool them into giving OAuth permissions to a fraudulent app, which then allows hackers to take control of customer email accounts.
The app, nicknamed 'Upgrade,' asks users to grant OAuth permissions for use, which opens the door to attackers. Fraudulent users can create inbox rules, read and write emails and calendar items, and browse through their contacts. Attackers have since targeted hundreds of customers and organizations with the app.
Users would receive a notification asking them to grant various permissions to the app, such as reading and writing files, accessing calendars, and so on.
What is OAuth?
OAuth is an open standard designed for delegating access for third-party websites and applications to user information and files without giving up passwords and other critical account information. This standard is supported by cloud and identity providers such as Google, Facebook, Twitter, and Microsoft.
Since it's a widely accepted standard, attackers targeted it and found vulnerabilities in OAuth they could exploit. Hackers using it as a backdoor was a commonly used tactic that forced Google to adopt tighter requirements for verifying developers who use OAuth to connect to Google apps.
Microsoft stated in a tweet they have deactivated ‘Upgrade’ in Azure Active Directory and notified effected customers once they pinpointed the attacks.
How Did Microsoft Find Out About the ‘Upgrade’ Phishing App?
The OAuth phishing campaign was reported to Microsoft by threat hunter @ffforward on Twitter, who gave the details behind the ‘Upgrade’ app, listed under the verified publisher Counseling Services Yuma PC.
It turns out the ‘Upgrade’ app was offered to Office 365 users in the past but through an unverified account.
According to a tweet by Microsoft Security Intelligence (@MsftSecIntel), the app governance in Microsoft Defender for Cloud Apps flagged ‘Upgrade’'s suspicious behavior, which led to the discovery of the phishing campaign.
What is Consent Phishing?
Consent phishing has become an alternative to credential phishing. Instead of capturing passwords using phishing login pages, attackers send OAuth permissions requests to bait victims into granting access tokens through connected apps to acquire account data.
Consent-phishing emails, which seek "illicit consent grants" from unsuspecting users that abuse OAuth requests, have been steadily increasing over recent years, according to a July 2021 blog by Microsoft.
In these cases, logins are handled by an identity provider like Google or Microsoft instead of the end-user. While this type of phishing attack doesn't give attackers passwords, they can still set inbox rules to forward emails from a victim to an email account controlled by the attacker, allowing future attacks.
From there, cybercriminals can perform ongoing surveillance on the target organization to acquire information that will further compromise the network.
Microsoft pointed out in the same blog that Azure Active Directory and Microsoft Defender have capabilities that allow administrators to manage consent to apps and visibility to organizations, which helps companies identify if an app is behaving suspiciously.
How can businesses protect themselves?
Businesses need to have a proactive cybersecurity team that can implement the U.S. Department of Commerce's National Institute of Standards and Technology's cybersecurity framework to secure networks: Identify, Protect, Detect, Respond, and Recover. Kumo offers businesses a highly trained cybersecurity team that can fully secure any company's data. If you're interested in learning more, please email email@example.com.