Attackers abuse Microsoft’s 'verified publisher' status to steal data

2023-02-01 06:30

Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings.

According to researchers with Proofpoint, which uncovered the campaign in early December, hijacking the "Verified publisher" status enabled the cybercriminals to satisfy some of Microsoft's requirements for distributing OAuth applications.

The software giant's Security Response Center wrote that the crooks impersonated legitimate companies when enrolling in Microsoft's Cloud Partner Program and used fraudulent partner accounts to add a verified publisher to the OAuth registrations created in Azure Active Directory.

Microsoft gives an app publisher a "Verified publisher" status when their identity has been verified using the MCPP. OAuth has been abused in the past by cybercriminals.

In September 2022, Microsoft revealed that researchers investigated an attack where malicious OAuth applications were deployed on compromised cloud tenants and used to control Exchange Online settings and spread spam.

"After gaining a verified publisher ID, threat actors added links in each app to the 'terms of service' and 'policy statement' that point to the impersonated organization's website," they wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/02/01/microsoft_oauth_attack_proofpoint/

#microsoft #stealdata

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Status		3	0	5	3	0	8