Microsoft verified OAuth apps for inbox penetration
Business Email Compromise (BEC), Fraud & Cybercrime, Identity & Access Management
Proofpoint Says Campaign With Malicious Authentication Apps Targeting UK Businesses
Prajeet Nair (@prajeetspeaks) •
January 31, 2023
Cybercriminals have exploited Microsoft’s certified authentication application verification process to gain access to the mailboxes of financial and marketing companies.
See also: Expanding Microsoft 365 email security infrastructure
Security researchers at Proofpoint uncovered a campaign active in the UK in December 2022 based on three malicious OAuth applications with Microsoft’s deep blue “verified publisher” markings.
Microsoft says it has disabled the fraudulent authentication apps and notified affected customers whose emails were stolen. The actors of the threat pretended to be legitimate companies, in two cases they registered a misspelled domain with Microsoft that resembled a legitimate company.
events top level domain.
The computing giant syncs attacks that trick users into granting malicious permissions to apps that “consent to phishing.”
“It’s less likely to be detected than traditional phishing or brute force attacks. Organizations typically have weaker and deeper defense controls against threat actors using verified OAuth applications,” says Proofpoint.
According to Proofpoint, the threat actors’ permissions included access to email and calendars. Threat actors may conduct business email compromise attacks, using their access to legitimate mailboxes to collect financial data. The FBI warned in May 2022 that business email compromises, whether through account hacking or the misuse of personal information, are a growing threat. According to the FBI, businesses worldwide lost $43 billion to fraud between June 2016 and December 2021.
OAuth is a standard that uses third-party authentication servers, such as Microsoft’s, as intermediaries between users and providers of online resources, such as websites that require logins. The system was created to minimize the number of applications that require dedicated credentials, easing users from having to retrieve a new password and app providers from protecting users’ passwords.
Its security depends on the trustworthiness of authorization servers, so malicious OAuth applications are a constant threat.
Instead of login credentials, OAuth provides a credential that the website uses as a legitimate password. The system also provides a “refresh” token so the user can maintain access without going through the authentication process again. Campaign refresh tokens published by Proofpoint were valid for one year.
Microsoft’s publisher verification mechanism is meant to ensure that OAuth applications come from a legitimate source, which is not always the case. The IT giant says it has “implemented several additional security measures” to improve the vetting process.
Proofpoint reported the attack to Microsoft on December 20, and the campaign ended on December 27.