Security News > 2023 > December > Microsoft: OAuth apps used to automate BEC and cryptomining attacks
Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining.
Recent incidents investigated by Microsoft Threat Intelligence experts revealed that attackers mainly target user accounts that lack robust authentication mechanisms in phishing or password-spraying attacks, focusing on those with permissions to create or modify OAuth apps.
In separate instances, the attacker created multitenant OAuth apps for persistence, adding new credentials, and reading emails or sending phishing emails via the Microsoft Graph API. "At the time of analysis, we observed that threat actor created around 17,000 multitenant OAuth applications across different tenants using multiple compromised user accounts," Microsoft said.
"Based on the email telemetry, we observed that the malicious OAuth applications created by the threat actor sent more than 927,000 phishing emails. Microsoft has taken down all the malicious OAuth applications found related to this campaign, which ran from July to November 2023.".
The compromised accounts were then used to create new OAuth apps in the targeted organization, which enabled the attackers to send thousands of spam emails every day and, in some cases, months after the initial breach.
To defend against malicious actors misusing OAuth apps, Microsoft recommends using MFA to thwart credential stuffing and phishing attacks.
News URL
Related news
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT (source)
- TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks (source)
- New Latrodectus malware attacks use Microsoft, Cloudflare themes (source)
- Microsoft warns of "Dirty Stream" attack impacting Android apps (source)