Attackers used malicious “verified” OAuth apps to infiltrate organizations’ O365 email accounts
Malicious third-party OAuth apps with an evident “Publisher identity verified” badge have been used by unknown attackers to target organizations in the UK and Ireland, Microsoft has shared.
The attacks were first spotted by Proofpoint researchers in early December 2022, and involved three rogue apps impersonating SSO and online meeting apps. Targets in these organizations who have fallen for the trick effectively allowed these rogue apps to access to their O365 email accounts and infiltrate organizations’ cloud environments.
“The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse,” Proofpoint researchers explained.
Using OAuth apps to bypass MFA
The increasing adoption of multifactor authentication (MFA) has made traditional account takeover techniques such as phishing, password brute-forcing or guessing less effective, so some attackers are resorting to consent phishing campaigns to gain prolonged access to targets’ accounts. Via rogue third-party OAuth apps, they gain the access and the required permissions to rifle through targets’ mailbox, calendar, meetings information, etc.
This attack technique is not new, but it’s definitely not widely deployed as it requires attackers to go through considerable effort to “set the stage.”
In this particular case, they had to trick Microsoft into supplying the “Publisher identity verified” blue badge to the three rogue apps – named “Single Sign-on (SSO)” and “Meeting”, and sporting an old Zoom icon – so that targets would trust them and allow them access to their accounts.
According to the company, the attackers impersonated legitimate companies when enrolling in the Microsoft Cloud Partner Program, and “used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD.”
Targeted users were fooled by the “publisher verified” badge, the publisher name (which was very similar to that of an existing legitimate publisher’s name), and links in each app’s consent form that pointed to the impersonated organization’s website.
“The application authorization request is proliferated via personalized ‘.html’ and ‘.htm’ files, which are linked to the application consent screen,” Proofpoint researchers shared. (They did not say how these files were delivered, but phishing emails are the likeliest mechanism.)
Mitigating the threat of malicious OAuth apps – “verified” or not
This particular campaign lasted until December 27th, 2022, and Microsoft has since disabled the malicious applications and notified affected customers.
“According to our analysis, this campaign appeared to target mainly UK-based organizations and users. Among the affected users were financial and marketing personnel, as well as high-profile users such as managers and executives,” Proofpoint researchers noted.
“We encourage those impacted customers to investigate and confirm if additional remediation is required, and all customers take steps to protect against consent phishing,” Microsoft said, and added that they “implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future.”
While companies should definitely train their employees to spot these attacks, it’s possible that the social engineering tricks employed by attackers will still fool some of them.
“Organizations should carefully evaluate the risks and benefits of granting access to third-party apps. Further, organizations should restrict user consent to apps with verified publishers and low risk delegated permissions,” the researchers advised. Also, they should deploy security solutions that can detect malicious third-party OAuth apps and notify the company’s security team when they do.
“Automated remediation actions, such as revoking malicious OAuth apps from your cloud environment, can greatly decrease threat actors’ dwell time and prevent most post-access risks,” they pointed out.