Feb 1, 2023 / By Securium Solutions
Microsoft announced that it had taken action to disable phony Microsoft Partner Network (MPN) accounts that were being used to build malicious OAuth applications as part of a criminal operation to infiltrate the cloud environments of enterprises and steal email.
The IT company claimed that the fraudulent actors “built applications that were subsequently deployed in a consent phishing campaign, which duped users into authorizing access to the phony apps.”
“This phishing campaign primarily targeted clients in the United Kingdom and Ireland.”
Consent phishing is a type of social engineering assault in which users are persuaded to provide permission to malicious cloud applications, which can subsequently be used as a weapon to access secure user data and legitimate cloud services. The manufacturer of Windows claimed that on December 15, 2022, it learned about the effort.
Customers that were impacted were subsequently notified through email, and the business noted that the threat actors had exploited the permission to exfiltrate mailboxes. The manufacturer of Windows stated that it learned about the campaign on December 15, 2022.
Since then, it has notified the impacted users via email, stating that the threat actors exploited the permission to exfiltrate mailboxes.
The publication is timed to coincide with a Proofpoint paper outlining how threat actors were able to successfully compromise corporate cloud infrastructures by taking advantage of Microsoft’s status as a “certified publisher.”
The campaign is remarkable because it was effective in deceiving Microsoft in order to obtain the blue validated badge by imitating well-known companies.
According to the business, “The actor added a verified publisher to OAuth app registrations they made in Azure AD by using fraudulent partner accounts.”
The copycat versions of trustworthy apps like Zoom were used in these attacks, which were first noticed on December 6, 2022, to trick targets into granting access and assist in data theft.
Financial, marketing, managers, and senior executives were among the targets.
The rogue OAuth apps, according to Proofpoint, had “far-reaching delegated permissions” that included reading emails, changing mailbox settings, and accessing files and other data linked to the user’s account.
It also noted that in contrast to a prior campaign that compromised already-verified Microsoft publishers to exploit OAuth app capabilities, the most recent attacks are made to impersonate trustworthy publishers in order to obtain verified and spread malicious applications.
Two of the aforementioned apps were named “Single Sign-on (SSO),” with the third program attempting to pass as video conferencing software by using the term “Meeting.”
The same companies were targeted by all three apps, which were made by three separate publishers and used the same infrastructure under the control of the attacker.
According to the enterprise security firm, “the potential effect to enterprises includes compromised user accounts, data exfiltration, brand abuse of fake companies, business email compromise (BEC) fraud, and mailbox abuse.”
After Proofpoint notified Microsoft of the attack on December 20 and the apps were removed, the campaign is reported to have ended on December 27, 2022.
The findings show the level of sophistication used to carry out the assault, as well as how Microsoft’s security measures were circumvented and how users’ faith in enterprise vendors and service providers was abused.
False OAuth apps have already been used to attack Microsoft’s cloud services.
The OiVaVoii threat activity, which targeted high-level executives to seize control of their accounts, was described by Proofpoint in January 2022.
Then, in September 2022, Microsoft disclosed that it had stopped an assault that had used rogue OAuth programs installed on infected cloud tenants to take over Exchange servers and send spam.
