Security News > 2023 > December > Microsoft: OAuth apps used to automate BEC and cryptomining attacks

Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining.

Recent incidents investigated by Microsoft Threat Intelligence experts revealed that attackers mainly target user accounts that lack robust authentication mechanisms in phishing or password-spraying attacks, focusing on those with permissions to create or modify OAuth apps.

In separate instances, the attacker created multitenant OAuth apps for persistence, adding new credentials, and reading emails or sending phishing emails via the Microsoft Graph API. "At the time of analysis, we observed that threat actor created around 17,000 multitenant OAuth applications across different tenants using multiple compromised user accounts," Microsoft said.

"Based on the email telemetry, we observed that the malicious OAuth applications created by the threat actor sent more than 927,000 phishing emails. Microsoft has taken down all the malicious OAuth applications found related to this campaign, which ran from July to November 2023.".

The compromised accounts were then used to create new OAuth apps in the targeted organization, which enabled the attackers to send thousands of spam emails every day and, in some cases, months after the initial breach.

To defend against malicious actors misusing OAuth apps, Microsoft recommends using MFA to thwart credential stuffing and phishing attacks.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-oauth-apps-used-to-automate-bec-and-cryptomining-attacks/