Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks.
Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity.
The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account.
In attacks observed by Microsoft Threat Intelligence, threat actors launched phishing or password spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth applications.
The threat actors misused the OAuth applications with high privilege permissions to deploy virtual machines for cryptocurrency mining, establish persistence following business email compromise, and launch spamming activity using the targeted organization's resources and domain name.
Microsoft continuously tracks attacks that misuse of OAuth applications for a wide range of malicious activity.
Microsoft observed the threat actor tracked as Storm-1283 using a compromised user account to create an OAuth application and deploy VMs for cryptomining.
The actor also leveraged existing line-of-business OAuth applications that the compromised user account had access to in the tenant by adding an additional set of credentials to those applications.
Microsoft Threat Intelligence analysts were able to detect the threat actor's actions and worked with the Microsoft Entra team to block the OAuth applications that were part of this attack.
In another attack observed by Microsoft, a threat actor compromised user accounts and created OAuth applications to maintain persistence and to launch email phishing activity.
Later, to maintain persistence and carry out malicious actions, the threat actor created an OAuth application using the compromised user account.
In other cases, instead of performing BEC reconnaissance, the threat actor created multitenant OAuth applications following the stolen session cookie replay activity.
The threat actor used the OAuth applications to maintain persistence, add new credentials, and then access Microsoft Graph API resource to read emails or send phishing emails.
At the time of analysis, we observed that threat actor created around 17,000 multitenant OAuth applications across different tenants using multiple compromised user accounts.
Based on the email telemetry, we observed that the malicious OAuth applications created by the threat actor sent more than 927,000 phishing emails.
Microsoft also observed large-scale spamming activity through OAuth applications by a threat actor tracked as Storm-1286.
In some cases, the actor waited for months after the initial access and setting up of OAuth applications before starting the spam activity using the applications.
In previous large-scale spam activities, we observed threat actors attempting to compromise admin accounts without MFA and create new LOB applications with high administrative permissions to abuse Microsoft Exchange Online and spread spam.
While the activity of the actor then was limited due to actions taken by Microsoft Threat Intelligence such as blocking clusters of the OAuth applications in the past, Storm-1286 continues to try new ways to set a similar high-scale spamming platform in victim organizations by using non-privileged users.
App governance is an add-on to Microsoft Defender for Cloud Apps, which can detect malicious OAuth applications that make sensitive Exchange Online administrative activities along with other threat detection alerts.
This Cyber News was published on www.microsoft.com. Publication date: Wed, 13 Dec 2023 17:43:24 +0000