Researchers from cybersecurity firm Proofpoint have discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations cloud environments. Threat actors abused Microsofts Verified publisher status, employing brand abuse, app impersonation and other social engineering tactics to lure users into authorizing malicious apps. The potential impacts of the campaign include data exfiltration and mailbox abuse. The campaign mainly targeted UK-based organizations and users. Microsoft has since disabled the malicious applications while continuing to investigate this attack. Threat actors recognize the value of verified status in the Microsoft environment to abuse OAuth privileges, increasing the probability of tricking users into granting consent when a malicious third-party OAuth app requests access to data accessible via a users account. Data exfiltration, mailbox, and brand abuse are among the risks associated with the campaign. If consent is granted by users, default delegated permissions in the malicious applications allowed threat actors to access and manipulate mailbox resources, calendar, and meeting invitations linked to compromised users accounts. Businesses and users should be cautious when granting access to third-party OAuth apps, even if they are verified by Microsoft. Organizations should carefully evaluate the risks and benefits of granting access to third-party apps and restrict user consent to apps with verified publishers and low risk delegated permissions. GitHub repositories were also compromised by stolen OAuth tokens. Organizations should take automated remediation actions, such as revoking malicious OAuth apps from their cloud environment, to decrease threat actors dwell time and prevent most post-access risks.
This Cyber News was published on www.csoonline.com. Publication date: Tue, 31 Jan 2023 12:05:02 +0000