Microsoft-Verified OAuth Apps Used to Infiltrate InboxesProofpoint Says Campaign Targeted UK Businesses With Malicious Authentication Apps
Cybercriminals exploited the verification process for Microsoft-certified authentication apps to obtain access to the inboxes of financial and marketing companies.
Security researchers from Proofpoint uncovered a December 2022 campaign active in the United Kingdom based on three malicious OAuth apps carrying Microsoft's deep blue "verified publisher" check mark of approval.
Microsoft says it has disabled the fraudulent authentication apps and notified affected customers, who had emails stolen. Threat actors impersonated legitimate companies, in two instances registering with Microsoft a typosquatted domain resembling a legitimate company with the
.events top-level domain.
The computing giant dubs attacks that trick users into granting malicious permission to apps "consent phishing."
It is "less likely to be detected than traditional targeted phishing or brute force attacks. Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps," Proofpoint says.
Among the permissions threat actors sought were access to emails and calendars, Proofpoint says. It's possible the threat actors intended to conduct business email compromise attacks, using their access to legitimate inboxes to harvest financial data. The FBI in May 2022 warned that business email compromise - whether through account compromise or impersonation - is a growing threat. Businesses across the globe lost $43 billion between June 2016 and December 2021 to the scam, the FBI said.
OAuth is a standard that uses third-party authorization servers - such as Microsoft - as an intermediary between users and providers of online resources such as websites that require a logon. The system arose as a way to minimize the number of apps requiring a dedicated credential, easing the burden on users for recalling yet another password and on app providers for securing users' passwords.
Its security depends on the trustworthiness of authorization servers, making malicious OAuth applications a constant threat.
In lieu of a logon credential, OAuth supplies a credential used as the equivalent as a legitimate password by the website. The system also supplies a "refresh" token so the user can maintain access without again having to go through the authentication process. The refresh tokens in the campaign exposed by Proofpoint were set to last for a year.
Microsoft's publisher verification mechanism is meant to ensure that OAuth apps come from legitimate sources, a guarantee that doesn't always follow through. The computing giant says it "implemented several additional security measures" to improve its vetting process.
Proofpoint reported the attack to Microsoft on Dec. 20 and the campaign ended on Dec. 27.