Phishing continues to be the most effective method for infiltration of organizations. It continues to pose a threat to both individuals and the largest of companies. Microsoft has sent out a warning that Office 365 users are receiving phishing emails. This campaign is designed to trick users into divulging OAuth permissions to a fake app that lets hackers read and write emails. Microsoft’s Security Intelligence team posted a warning to their users, on Twitter, of attackers that are sending OAuth phishing emails to hundreds of Microsoft Office 365 users. The likely malicious app- ‘Upgrade’ asks users to give it OAuth permission that in turn would allow attackers to read, write emails, create new inbox rules, view calendar items, and have access to your contacts.
The victims would see a notification on their device asking them for various permissions, including reading or writing to their files, emails, calendars and so on. Microsoft, to contain the damage, deactivated the malicious app in Azure AD and warned all affected users.
The OAuth email phishing campaign was reported by a user under the account name of @ffforward to the official Microsoft account on Twitter. According to @ffforward, the Upgrade app came from a verified publisher- Counselling Services Yuma PC. The same malicious app was earlier offered to Microsoft Office 365 customers, however through an unverified account. Microsoft believes these kinds of consent-phishing emails that misuse OAuth requests have grown over the past few years.
For those new to consent-phishing, it is an alternative for cybercriminals to credential phishing. Instead of the traditional method of stealing passwords with phishing login pages, attackers are after OAuth permissions. They use request screens to grab the victim’s attention into granting access to malicious cloud apps and giving access to the user’s legitimate cloud services. This consent screen displays all grants that the malicious app receives and due to the cloud services being legitimate, users suspect nothing and accept the terms granting the app the requested permissions. Consent phishing attacks are a professional form of phishing that requires a comprehensive and multi-layer defense.
Microsoft also added that this kind of phishing attack does not involve stealing passwords, as access tokens do not need a user’s password. Attackers then maintain persistence in the organization and explore further across the company’s network.
Attackers configure apps in a way that they appear legitimate, registering them using trustworthy names like “Settings4Enabler”, Enable4Calc” and “SettingsEnabler” among others. These names resemble trustworthy business productivity app integrations. Cybercriminals then distribute OAuth URLs in email-based phishing attacks. Upon selecting the URL, the user is asked to grant the requested permissions. Once users click “allow” or “accept”, the malicious app receives an authorization code that it redeems for an access token. Then the access token is used to make API calls on behalf of the user, giving the attacker access to the user’s email, files, sensitive data, contacts, and forwarding rules.
For more news and updates, visit https://blog.excellimatrix.com/
You can also reach out to us on Facebook, & LinkedIn or Contact us directly
