Proofpoint researchers have discovered a new malicious third-party OAuth app campaign that abused the Microsoft “verified publisher” status to satisfy some of Microsoft’s requirements on OAuth app distribution. The verified publisher status is the equivalent of getting verified on popular platforms such as Instagram, Twitter, or the Apple AppStore in the enterprise world.
This campaign increased the probability that users were tricked into granting consent when a malicious third-party OAuth app requests access to data accessible via a user’s account. Proofpoint observed that the malicious apps had far-reaching delegated permissions such as reading emails, adjusting mailbox settings, and gaining access to files and other data linked to the user’s account.
The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse. The attack was less likely to be detected than traditional targeted phishing or brute force attacks. Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps.
Proofpoint identified three malicious apps created by three different malicious publishers. These apps targeted the same organizations and are associated with the same malicious infrastructure. Multiple users were observed authorizing the malicious apps, thereby compromising their organization’s environment. Among the affected users were financial and marketing personnel, as well as high-profile users such as managers and executives.
When granted consent by users, the default delegated permissions in the malicious applications allow threat actors to access and manipulate mailbox resources, calendar and meeting invitations linked to the compromised users’ accounts. As the permissions also provide “offline access”, the access does not require user interaction after consent. The granted token (refresh token) has a long expiry duration of over a year in most cases. This gave threat actors access to the compromised account’s data and the ability to leverage the compromised Microsoft account in subsequent BEC or other attacks.
Recommendations:
- It is important to exercise caution when granting access to third-party OAuth apps, even if they are verified by Microsoft. Proofpoint advises not trust and rely on OAuth apps based on their verified publisher status alone. Due to the sophistication of such attacks, end users are likely to fall prey to the advanced social engineering methods.
- Organizations should carefully evaluate the risks and benefits of granting access to third-party apps. Microsoft recommends security teams follow best practices to prevent OAuth app “consent phishing”. Further, organizations should restrict user consent to apps with verified publishers and low risk delegated permissions.
- They should take proactive steps to protect their cloud environments. Ensure your security solutions can: (1) detect malicious third-party OAuth apps employing impersonation techniques; and (2) notify your security team in-time to stop and remediate risks.
- Automated remediation actions, such as revoking malicious OAuth apps from your cloud environment, can greatly decrease threat actors’ dwell time and prevent most post-access risks.
Proofpoint threat researchers continue to monitor the campaign, including the threat actors’ activity and associated infrastructure. The campaign ended on December 27th, 2022. Microsoft has since disabled the malicious applications while continuing to investigate this attack.