Attackers used malicious “verified” OAuth apps to infiltrate organizations’ O365 email accounts

2023-01-31 13:49

Malicious third-party OAuth apps with an evident "Publisher identity verified" badge have been used by unknown attackers to target organizations in the UK and Ireland, Microsoft has shared.

Targets in these organizations who have fallen for the trick effectively allowed these rogue apps to access to their O365 email accounts and infiltrate organizations' cloud environments.

Using OAuth apps to bypass MFA. The increasing adoption of multifactor authentication has made traditional account takeover techniques such as phishing, password brute-forcing or guessing less effective, so some attackers are resorting to consent phishing campaigns to gain prolonged access to targets' accounts.

According to the company, the attackers impersonated legitimate companies when enrolling in the Microsoft Cloud Partner Program, and "Used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD.".

Mitigating the threat of malicious OAuth apps - "Verified" or not.

"Organizations should carefully evaluate the risks and benefits of granting access to third-party apps. Further, organizations should restrict user consent to apps with verified publishers and low risk delegated permissions," the researchers advised.

News URL

https://www.helpnetsecurity.com/2023/01/31/malicious-verified-oauth-apps-o365/

#email #o365 #oauth