Proofpoint researchers uncovered a malicious OAuth app campaign that leveraged Microsoft's "verified publisher" status to meet some of its OAuth app distribution requirements.
These malicious apps were granted extensive delegated permissions, such as the ability to read emails, change mailbox settings, and access files and data linked to a user's account.
Diving into details
The attack campaign indicates that users were probably tricked into giving consent when the OAuth app requested access to data via the user’s account. - The researchers observed three malicious apps published by three distinct developers, which aimed at the same organizations and were linked to the same malicious infrastructure.
- The victims mainly appear to be U.K.-based organizations and individuals, including marketing and financial personnel and high-profile users.
Why this matters
- Once consent was granted, the attackers could access and manipulate mailbox resources and meeting and calendar invitations.
- Since the granted token has an expiry date of over a year, the threat actors were able to access the compromised account’s data.
- Furthermore, it could have allowed them to use the compromised Microsoft account in later BEC attacks.
- In addition to the above, the compromised accounts could lead to brand abuse, which can be challenging for the victim organization.
Other incidents abusing Microsoft products
- A few days back, researchers discovered malspam emails impersonating DHL shipping notifications, ACH remittance forms, invoices, shipping documents, and mechanical drawings with a Microsoft OneNote attachment. The hackers inserted malicious VBS attachments into a NoteBook that launched the malware.
- In December 2022, the UNC4166 threat actor launched social engineering supply-chain attacks against the Ukrainian government. It leveraged trojanized ISO files pretending to be legitimate Windows 10 installers.
The bottom line
Proofpoint recommends exercising caution when granting access to third-party OAuth apps, even if they have Microsoft verification. It is, moreover, advised to guard the cloud environment by taking proactive measures and ensuring security solutions can detect impersonation attempts by malicious OAuth apps and notify the security team promptly to stop and address the risks.