Microsoft warning: These phishing attackers used fake OAuth clients to steal emails
Microsoft has warned that fraudulent Microsoft Partner Network (MPN) accounts have been used in a phishing campaign featuring fake apps tricking victims into giving them access to their email accounts.
Attackers used phishing MPN accounts to sign up for fake versions of legitimate-sounding applications, such as “Single Sign On (SSO)” and “Meetings” highlighted Scored with convincing visual indicators, including Zoom’s older video icon and Zoom-like icons. URL, According to security firm Proofpoint.
Also: Public Wi-Fi Safety Tips: Protect yourself from security threats and malware
The attackers first impersonated legitimate companies to sign up for the Microsoft Cloud Partner Program or MCCP (formerly known as the Microsoft Partner Network or MPN), then used these accounts to add verified publishers to the OAuth application subscriptions they created in Azure Active Directory (AD).
Microsoft classifies the attack as “consent phishing” because the attackers use fake apps and Azure AD-based OAuth consent prompts (pictured below) to trick permission targets into applications, such as reading emails, accessing contacts, etc. continue, potentially for an entire year. Additionally, with a verified publisher status, the publisher name will receive a blue ‘verified’ badge, which indicates that Microsoft has verified the app’s publisher.
Microsoft said in a blogpost that the phishing campaign had targeted “a small group of customers mainly in the UK and Ireland”. It has also disabled fraudulent apps and notified affected customers.
Microsoft has seen incidents of consent fraud steadily increasing in recent years, where this technique has been used to target Office 365 customers. Once issued by the victim, the OAuth permission token is useful because the attacker doesn’t ask for the target’s account password but still can access confidential data. Microsoft recently update its documentation about attack style.
Proofpoint detected the malicious third-party OAuth applications on December 6 and notified Microsoft on December 20. Proofpoint noted that the phishing campaign ended on December 27. Microsoft was aware. about the consent scam campaign on December 15.
Proofpoint highlights OAuth authorization fraud as a powerful tool that can allow malicious apps to act on behalf of users — accessing mailbox, calendar, and invitation resources meeting associated with the compromised user account.
“The issued tokens (refresh tokens) have a shelf life longer than one year in most cases. This allows threat actors to access the compromised account’s data, and ability to take advantage of a compromised Microsoft account in subsequent BEC or other attacks,” it noted.
Also: Cybersecurity personnel are having a hard time. Here’s how to better support them
Microsoft has identified the primary goal of this campaign as filtering the target organization’s email.
“Microsoft’s investigation determined that after the victim user consented, the threat actors used third-party OAuth applications as the primary technique/vector to steal emails. All those customers Affected users whose users consent to these applications have been notified,” it noted.
So, how do threat actors bypass Microsoft’s checks for MPN/MCPP? According to Proofpoint, the crooks displayed a name on their fraudulent apps that looked like the name of an existing legitimate publisher. Meanwhile, they have hidden the actual “verified publisher” name, which is different from the one shown. Proofpoint notes that, in two cases, the attackers received verification just a day after they created the malicious app.
Once the attackers received the verified publisher ID, they also added links in each app to the “terms of service” and “policy statement” on the impersonation organization’s website. In the past, consent phishing campaigns have caused current MPN-verified publishers to abuse OAuth. New method enhances the reliability of malicious OAuth applications.
Microsoft said it has “implemented a number of additional security measures to improve the MCPP audit process and reduce the risk of similar fraud in the future.”