The Microsoft Security Intelligence team is warning that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a bogus app that then lets attackers read and write emails. The team reported that attackers are sending the OAuth phishing emails to "hundreds" of Office 365 customers.
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third-party applications or websites.
The potentially malicious app, dubbed 'Upgrade', asks users to grant it OAuth permissions that would allow attackers to create inbox rules, read and write emails and calendar items, and read contacts, according to Microsoft Security Intelligence. Targets would see a notification asking them to grant the app various permissions, such as to read and write your files, read calendars and so forth.
OAuth has been abused by attackers in the past and this trend forced Google to introduce stricter verification requirements for developers who use it to connect to Google apps. "The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers," Microsoft team members stated.
Threat hunter @ffforward reported the OAuth phishing campaign to Microsoft. The Upgrade app was listed as coming from the verified publisher Counseling Services Yuma PC, according to @ffforward. The same Upgrade app was previously being offered to Office 365 users but via an unverified account.
Microsoft recently said consent-phishing emails or "illicit consent grants" that abuse OAuth requests have steadily increased over the past few years. Consent phishing is an alternative for attackers to credential phishing. Instead of capturing passwords with phishing login pages, attackers use OAuth permission request screens to lure victims into granting access tokens that give the attacker account data from connected apps. In this scenario, sign-in is handled by an identity provider, such as Microsoft or Google, rather than the end user. Despite lacking a password, the attacker can still do things like set a rule to forward emails from a target to an attacker-controlled email account, laying the groundwork for future attacks.
"In most cases, consent phishing attacks do not involve password theft, as access tokens don't require knowledge of the user's password, yet attackers are still able to steal confidential data and other sensitive information. Attackers can then maintain persistence in the target organization and perform reconnaissance to further compromise the network," A Microsoft representative noted.[1]
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-that-wants-to-read-your-emails/
Comments