26 C
Mumbai
Sunday, March 3, 2024
HomeCyber AttacksHackers Abused Microsoft's OAuth Apps "Verified Publisher" to Breach Corporate Email Accounts

Hackers Abused Microsoft’s OAuth Apps “Verified Publisher” to Breach Corporate Email Accounts

Date:

Related stories

Remote Access Trojan (RAT): Their Types, Mitigation & Removal

Remote Access Trojan (RAT): Their Types, Mitigation & Removal Post...

Chinese Hackers Exploited Barracuda’s ESG Appliances

Chinese Hackers Exploited Barracuda's ESG Appliances Barracuda has revealed that...

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government Agencies

China-Linked Budworm Targeting Middle Eastern Telco & Asian Government...

Most Important Cyber Security Tips 2023

Most Important Cyber Security Tips 2023 Important Cyber Security Security...

Every Business Owner 10 Essential Cybersecurity Facts Must Know

Every Business Owner 10 Essential Cybersecurity Facts Must Know In...
Microsoft oauth app

Hackers Abused Microsoft’s OAuth Apps “Verified Publisher” to Breach Corporate Email Accounts

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations’ cloud environments and steal email.

“The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps,” the tech giant said. “This phishing campaign targeted a subset of customers primarily based in the U.K. and Ireland.”

Consent phishing is a social engineering attack wherein users are tricked into granting permissions to malicious cloud applications, which can then be weaponized to gain access to legitimate cloud services and sensitive user data.

The Windows maker said it became aware of the campaign on December 15, 2022. It has since alerted affected customers via email, with the company noting that the threat actors abused the consent to exfiltrate mailboxes.

On top of that, Microsoft said it implemented additional security measures to improve the vetting process associated with the Microsoft Cloud Partner Program (formerly MPN) and minimize the potential for fraud in the future.

The disclosure coincides with a report released by Proofpoint about how threat actors have successfully exploited Microsoft’s “verified publisher” status to infiltrate the cloud environments of organizations.

What’s notable about the campaign is that by mimicking popular brands, it was also successful at fooling Microsoft in order to gain the blue verified badge. “The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD,” the company explained.

These attacks, which were first observed on December 6, 2022, employed lookalike versions of legitimate apps like Zoom to deceive targets into authorizing access and facilitate data theft. Targets included financial, marketing, managers, and senior executives.

Proofpoint noted the malicious OAuth apps had “far-reaching delegated permissions” such as reading emails, adjusting mailbox settings, and gaining access to files and other data connected to the user’s account.

It also said that unlike a previous campaign that compromised existing Microsoft verified publishers to take advantage of OAuth app privileges, the latest attacks are designed to impersonate legitimate publishers to become verified and distribute the rogue apps.

Two of the apps in question were named “Single Sign-on (SSO),” while the third app was called “Meeting” in an attempt to masquerade as video conferencing software. All three apps, created by three different publishers, targeted the same companies and leveraged the same attacker-controlled infrastructure.

“The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse,” the enterprise security firm said.

The campaign is said to have come to an end on December 27, 2022, after Proofpoint informed Microsoft of the attack on December 20 and the apps were disabled.

The findings demonstrate the sophistication that has gone into mounting the attack, not to mention bypass Microsoft’s security protections and misuse the trust users place in enterprise vendors and service providers.

This is not the first time bogus OAuth apps have been used to target Microsoft’s cloud services. In January 2022, Proofpoint detailed another threat activity dubbed OiVaVoii that targeted high-level executives to seize control of their accounts.

Then in September 2022, Microsoft revealed that it dismantled an attack that made use of rogue OAuth applications deployed on compromised cloud tenants to ultimately seize control of Exchange servers and distribute spam.

Found this article interesting? Then comments us on this article your reviews and feedback.

Technogeek Online
Technogeek Onlinehttps://technogeek.online
Technogeek Online mission is to be a digital for technical decision-makers to gain knowledge about transformative technology. We deliver essential information on cyber technologies and strategies to guide you as you lead your organizations. We are inviting you to become a member of our community.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here