Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, Microsoft says the threat actors posed as legitimate companies to enroll and successfully be verified as that company in the MCPP. The threat actors used these accounts to register verified OAuth apps in Azure AD for consent phishing attacks targeting corporate users in the UK and Ireland. Microsoft says the malicious OAuth apps were used to steal customers emails. Proofpoint warned that the apps permissions could have allowed them to access calendars and meeting information and modify user permissions. Typically, this information is used for cyberespionage, BEC attacks, or to gain further access to internal networks. Proofpoint disclosed the malicious campaign on December 15, 2022, with Microsoft soon shutting down all fraudulent accounts and OAuth apps. Microsoft has disabled the threat actor-owned applications and accounts to protect customers and have engaged our Digital Crimes Unit to identify further actions that may be taken with this particular threat actor, reads the announcement. We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future. Microsoft has contacted all impacted organizations and warned that they should conduct a thorough internal investigation to verify that the suspicious applications have been disabled from their environment. BleepingComputer has contacted Microsoft to learn more about the attacks and how they are improving the MCPP vetting process, but a response was not immediately available. OAuth applications allow third-party applications to gain permission to access the data in a users cloud account to perform a specific action, such as generating calendar events or scanning emails for malware. Instead of logging into an OAuth application with a users credentials, they are registered with Azure AD and can be granted requested permissions on a users account. These permissions can be easily revoked without changing a users credentials if necessary. Over the past few years, malicious threat actors have used OAuth apps in consent phishing attacks to access targeted organizations Office 365 and Microsoft 365 cloud data. To further protect customers, Microsoft allows developers to become verified publishers, meaning Microsoft has verified their identity. OAuth apps that a verified partner creates have a blue check in the Azure Active Directory consent prompt, indicating that this application is more trustworthy. According to a Proofpoint report released today, researchers explained that the threat actors switched from trying to compromise existing Microsoft-verified publisher accounts and instead impersonated credible publishers to become verified themselves. The threat actors impersonated other companies by using a similar display name to an existing verified publisher but hid the Verified publisher name, which was different, as changing that would require re-verification with Microsoft. They also linked to the legitimate companys Terms of service and Policy statement web pages to add further legitimacy to their apps and identity. Proofpoint identified three malicious OAuth apps from three verified publishers, all targeting the same organizations and communicating with the same attacker-controlled infrastructure. According to our analysis, this campaign appeared to target mainly UK-based organizations and users. Among the affected users were financial and marketing personnel, as well as high-profile users such as managers and executives, says Proofpoint. Proofpoint saw evidence of multiple users impacted by the attacks, resulting in the compromise of their organizations. The campaign spanned between December 6, 2022, and December 27, 2022, when Microsoft disabled all malicious applications. In January 2022, we covered a similar campaign discovered by Proofpoint, where threat actors abused previously compromised verified publisher accounts to create trustworthy OAuth apps with which they targeted company executives. Microsoft has published a detailed guide on how users can protect themselves against these attacks and the recommended practices to prevent them in the first place.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 31 Jan 2023 15:14:02 +0000