Microsoft Disables Verified Partner Accounts Used for OAuth Phishing

Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, Microsoft says the threat actors posed as legitimate companies to enroll and successfully be verified as that company in the MCPP. The threat actors used these accounts to register verified OAuth apps in Azure AD for consent phishing attacks targeting corporate users in the UK and Ireland. Microsoft says the malicious OAuth apps were used to steal customers emails. Proofpoint warned that the apps permissions could have allowed them to access calendars and meeting information and modify user permissions. Typically, this information is used for cyberespionage, BEC attacks, or to gain further access to internal networks. Proofpoint disclosed the malicious campaign on December 15, 2022, with Microsoft soon shutting down all fraudulent accounts and OAuth apps. Microsoft has disabled the threat actor-owned applications and accounts to protect customers and have engaged our Digital Crimes Unit to identify further actions that may be taken with this particular threat actor, reads the announcement. We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future. Microsoft has contacted all impacted organizations and warned that they should conduct a thorough internal investigation to verify that the suspicious applications have been disabled from their environment. BleepingComputer has contacted Microsoft to learn more about the attacks and how they are improving the MCPP vetting process, but a response was not immediately available. OAuth applications allow third-party applications to gain permission to access the data in a users cloud account to perform a specific action, such as generating calendar events or scanning emails for malware. Instead of logging into an OAuth application with a users credentials, they are registered with Azure AD and can be granted requested permissions on a users account. These permissions can be easily revoked without changing a users credentials if necessary. Over the past few years, malicious threat actors have used OAuth apps in consent phishing attacks to access targeted organizations Office 365 and Microsoft 365 cloud data. To further protect customers, Microsoft allows developers to become verified publishers, meaning Microsoft has verified their identity. OAuth apps that a verified partner creates have a blue check in the Azure Active Directory consent prompt, indicating that this application is more trustworthy. According to a Proofpoint report released today, researchers explained that the threat actors switched from trying to compromise existing Microsoft-verified publisher accounts and instead impersonated credible publishers to become verified themselves. The threat actors impersonated other companies by using a similar display name to an existing verified publisher but hid the Verified publisher name, which was different, as changing that would require re-verification with Microsoft. They also linked to the legitimate companys Terms of service and Policy statement web pages to add further legitimacy to their apps and identity. Proofpoint identified three malicious OAuth apps from three verified publishers, all targeting the same organizations and communicating with the same attacker-controlled infrastructure. According to our analysis, this campaign appeared to target mainly UK-based organizations and users. Among the affected users were financial and marketing personnel, as well as high-profile users such as managers and executives, says Proofpoint. Proofpoint saw evidence of multiple users impacted by the attacks, resulting in the compromise of their organizations. The campaign spanned between December 6, 2022, and December 27, 2022, when Microsoft disabled all malicious applications. In January 2022, we covered a similar campaign discovered by Proofpoint, where threat actors abused previously compromised verified publisher accounts to create trustworthy OAuth apps with which they targeted company executives. Microsoft has published a detailed guide on how users can protect themselves against these attacks and the recommended practices to prevent them in the first place.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 31 Jan 2023 15:14:02 +0000


Cyber News related to Microsoft Disables Verified Partner Accounts Used for OAuth Phishing

Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
1 year ago Bleepingcomputer.com
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
1 year ago Packetstormsecurity.com
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
9 months ago Microsoft.com
Attackers Target Microsoft Accounts to Weaponize OAuth Apps - Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying. ...
9 months ago Darkreading.com
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts - Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. ...
1 year ago Thehackernews.com
Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns - Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks. OAuth is an open standard authentication protocol that uses tokens to grant applications access to ...
9 months ago Helpnetsecurity.com
Microsoft notifies UK customers affected by hackers abusing 'verified publisher' tag - Microsoft said it has notified customers impacted by a campaign that involved the abuse of the company's "Verified publisher" status to allow access to a victim's cloud environments. Accounts can gain verified publisher status when an app publisher ...
1 year ago Therecord.media
Microsoft: OAuth apps used to automate BEC and cryptomining attacks - Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. OAuth is an open standard for granting apps secure delegated access to server ...
9 months ago Bleepingcomputer.com
Hackers Abuse OAuth Applications to Automated Finacial Attacks - OAuth is an industry-standard protocol that allows third-party applications to access a user's data without exposing login credentials. This standard protocol facilitates secure authorization and authentication, commonly used to access resources on ...
9 months ago Cybersecuritynews.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
8 months ago Techrepublic.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
Money-grubbing crooks abuse OAuth apps for BEC, phishing The Register - Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes - such as business email compromise, phishing, large-scale spamming campaigns - and deploying virtual machines to illicitly mine for cryptocurrencies, according to ...
9 months ago Go.theregister.com
What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
9 months ago Feeds.dzone.com
CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
5 months ago Securityboulevard.com
Hackers Flood Dark Web Markets With Hijacked X Gold accounts - In the age of social media, verification badges hold significant power. On Twitter, the coveted blue tick signifies legitimacy and influence, commanding increased trust and engagement from followers. With the platform's recent monetization of ...
9 months ago Cybersecuritynews.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
10 months ago Microsoft.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
8 months ago Bleepingcomputer.com
Threat Actors Exploit Microsoft Verified Publisher Status to Abuse OAuth Privileges - Researchers from cybersecurity firm Proofpoint have discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations cloud environments. Threat actors abused Microsofts Verified publisher status, ...
1 year ago Csoonline.com
Own Company Unveils New Channel Partner Program - Own Company, a leading SaaS data platform, today announced the launch of a global Channel Partner Program aimed at empowering resellers and system integrators to proactively prevent their customers from losing mission-critical data and metadata. With ...
8 months ago Itsecurityguru.org
Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
8 months ago Helpnetsecurity.com
Microsoft Shares New Guidance in the Wake of 'Midnight Blizzard' Cyberattack - Microsoft has released new guidance for organizations on how to protect against persistent nation-state attacks like the one disclosed a few days ago that infiltrated its own corporate email system. A key focus of the guidance is on what ...
8 months ago Darkreading.com
Latest Information Security and Hacking Incidents - User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field. OAuth is a widely used authentication ...
9 months ago Cysecurity.news
Combat Phishing Attacks With AI-Powered Threat Protection - According to statistics, 81% of organizations have seen an increase in phishing emails since 2020, with an estimated 3.4 billion emails sent every day. AI-generated phishing emails are a sophisticated and evolving cybersecurity threat. ...
8 months ago Gbhackers.com
Fake and Stolen X Gold Accounts Flood Dark Web - A surge of fake or stolen X Gold accounts has been flooding marketplaces and forums both on the surface web and the dark web over the past year, according to CloudSEK. Threat actors have used multiple techniques to forge or steal X Gold accounts ...
9 months ago Infosecurity-magazine.com
Microsoft Adds Face Check to Entra Verified ID - Microsoft has added facial matching to its Entra Verified ID service, which lets organizations create and issue verifiable credentials to validate claims such as employment, education, certifications, and residence. The new Face Check feature is ...
8 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)