Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns

2023-12-13 13:40

Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks.

Microsoft Threat Intelligence has observed a number of attacks that started with attackers compromising poorly secured accounts that have permissions to create, modify, and grant high privileges to OAuth applications.

In one of the detected attacks, the attackers generated an OAuth application to deploy virtual machines used for cryptocurrency mining.

In another attack, after having created OAuth applications, the attackers started sending out phishing emails by leveraging an adversary-in-the-middle phishing kit.

Other instances saw the attackers creating multitenant OAuth applications to gain persistence, adding new credentials, creating inbox rules to move emails to the junk folder and mark them as read, and reading emails or sending phishing emails via Microsoft Graph API. Attack chain for OAuth application misuse for phishing.

While in these attacks OAuth apps are leveraged to gain persistence to compromised accounts and to extend the attacks, attackers have also been known to use seemingly verified third-party OAuth apps to gain access to O365 email accounts.

News URL

https://www.helpnetsecurity.com/2023/12/13/abusing-oauth-applications/

#cryptomining #oauth #spam