Attackers Target Microsoft Accounts to Weaponize OAuth Apps

Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying.
The attackers also leverage the OAuth authentication standard to maintain access to applications even if they lose access to the initially compromised account, they said.
The researchers describe several attacks that abused OAuth in novel ways.
In most cases, a compromised account did not have multifactor authentication enabled, making it an easy target for attackers that used tactics like credential stuffing, phishing, and reverse proxy phishing to gain access to an account for malicious purposes.
Using and Abusing OAuth Microsoft Threat Intelligence researchers observed three specific attack types - cryptomining, business email compromise/phishing, and password spraying/spamming - that abused OAuth to conduct malicious activity in various ways.
In one vector employed by the threat actor that Microsoft tracks as Storm-1283, attackers used a compromised Azure user account to create an OAuth application and deploy virtual machines for cryptomining.
Targeted organizations incurred compute fees ranging from $10,000 to $1.5 million from the malicious activity, in which the attackers returned to the account to deploy more cryptomining VMs after setting up the initial attack.
Attackers also compromised user accounts to create OAuth applications for BEC and phishing attacks, with the researchers observing a threat actor compromising user accounts and creating OAuth applications to maintain persistence and launch email phishing activity.
In this vector, the attacker used an adversary-in-the-middle phishing kit to send a significant number of emails with varying subject lines and URLs to target user accounts in multiple organizations with a malicious URL that leads to a proxy server facilitating a genuine authentication process.
If a user takes the bait and logs in, the threat actor then stole the token from the user's session cookie and later used it to perform session cookie replay activity.
In other cases, instead of BEC reconnaissance, the threat actor created multitenant OAuth applications following its replay of stolen session cookies, using the apps to maintain persistence, add new credentials, and then access the Microsoft Graph API resource to read emails or send phishing emails.
In a third unique attack, a threat actor that Microsoft tracks as Storm-1286 conducted large-scale spamming activity through password-spraying attacks to compromised user accounts.
The attackers compromised user accounts to create anywhere from one to three new OAuth applications in the targeted organization using Azure PowerShell or a Swagger Codegen-based client, granting consent to the applications that allowed control over the account mailbox, according to Microsoft Threat Intelligence.
From there, the attacker would send thousands of emails a day using the compromised user account and the organization domain.
MFA and Other Mitigations OAuth, in use since 2007, presents risk to organizations for various reasons, and there are a number of ways attackers can abuse it.
Security researchers have found flaws in its implementation that have exposed key online services platform such as Booking.com and others to attack.
Others have used malicious OAuth apps of their creation to compromise Microsoft Exchange servers.
A key step for organizations to reduce their attack surface when OAuth is in use is primarily by securing their identity infrastructure, according to Microsoft.
Another is enabling security defaults in deployed Microsoft applications, such as Azure Active Directory.


This Cyber News was published on www.darkreading.com. Publication date: Wed, 13 Dec 2023 19:00:06 +0000


Cyber News related to Attackers Target Microsoft Accounts to Weaponize OAuth Apps

Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com
Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
2 years ago Bleepingcomputer.com
Attackers Target Microsoft Accounts to Weaponize OAuth Apps - Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying. ...
1 year ago Darkreading.com
Hackers Abuse OAuth Applications to Automated Finacial Attacks - OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials. This standard protocol facilitates secure authorization and authentication, commonly used to access resources on ...
1 year ago Cybersecuritynews.com
Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns - Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. OAuth is an open standard authentication protocol that uses tokens to grant applications access to ...
1 year ago Helpnetsecurity.com Hunters
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
2 years ago Packetstormsecurity.com Lazarus Group
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts - Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. ...
2 years ago Thehackernews.com
Microsoft: OAuth apps used to automate BEC and cryptomining attacks - Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. OAuth is an open standard for granting apps secure delegated access to server ...
1 year ago Bleepingcomputer.com
Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register - Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes - such as business email compromise, phishing, large-scale spamming campaigns - and deploying virtual machines to illicitly mine for cryptocurrencies, according to ...
1 year ago Go.theregister.com
Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts - Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. The attacks are similar to those reported years ago, indicating that OAuth apps ...
2 months ago Bleepingcomputer.com
Five best practices for securing Active Directory service accounts - Windows Active Directory (AD) service accounts are prime cyber-attack targets due to their elevated privileges and automated/continuous access to important systems. To support software-specific functions, service accounts require elevated permissions ...
3 months ago Bleepingcomputer.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
Latest Information Security and Hacking Incidents - User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field. OAuth is a widely used authentication ...
1 year ago Cysecurity.news
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
1 year ago Securityboulevard.com APT29
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
1 year ago Bleepingcomputer.com APT29
What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
1 year ago Feeds.dzone.com
Microsoft Shares New Guidance in the Wake of 'Midnight Blizzard' Cyberattack - Microsoft has released new guidance for organizations on how to protect against persistent nation-state attacks like the one disclosed a few days ago that infiltrated its own corporate email system. A key focus of the guidance is on what ...
1 year ago Darkreading.com Cozy Bear
Microsoft: Legacy account hacked by Russian APT had no MFA - Microsoft said the legacy test tenant account hacked by Russian nation-state threat actors this month did not have MFA enabled. According to the initial disclosure, the account compromised was a legacy, non-production test tenant account that threat ...
1 year ago Techtarget.com
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
2 years ago Hackread.com Everest
Threat Actors Exploit Microsoft Verified Publisher Status to Abuse OAuth Privileges - Researchers from cybersecurity firm Proofpoint have discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations cloud environments. Threat actors abused Microsofts Verified publisher status, ...
2 years ago Csoonline.com
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
1 year ago Cysecurity.news
Malicious Android 'Vapor' apps on Google Play installed 60 million times - Although all of these apps have since been removed from Google Play, there's a significant risk that Vapor will return through new apps as the threat actors have already demonstrated the ability to bypass Google's review process. Bitdefender ...
2 months ago Bleepingcomputer.com
CVE-2025-4143 - The OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration. ...
4 weeks ago
Microsoft disrupts credentials marketplace, warns of gift card fraud, OAuth abuse - After a relatively quiet final Patch Tuesday of 2023, Microsoft published warnings this week about the potential for gift card fraud and hackers abusing a popular authentication technology. Alongside the warnings, Microsoft said it recently used a ...
1 year ago Therecord.media
An Overview of OAuth Explaining the Basics of Open Authorization - OAuth is an open standard authorization framework that enables users to securely share account information with third-party services, such as Facebook and Google, without having to reveal their credentials. It was first released in 2007 for the ...
2 years ago Heimdalsecurity.com