Microsoft-verified OAuth app used to compromise inboxes

Security researchers at Proofpoint found that a campaign operating in the UK in December 2022 was based on three malicious OAuth apps with Microsoft’s deep blue ‘Verified Publisher’ approval mark. I found

Microsoft says it has disabled rogue authentication apps and notified affected customers whose emails were stolen. The attackers impersonated legitimate companies and in two cases registered typosquatted domains that resembled legitimate companies with Microsoft. events top level domain.

The computing giant blows away “consent phishing” attacks that trick users into granting malicious permissions to apps.

“They are less likely to be detected than traditional targeted phishing and brute force attacks.Organizations typically use verified OAuth apps to weaken defense-in-depth controls against threat actors,” says Proofpoint. said.

According to Proofpoint, the permissions the attackers sought included access to email and calendars. Threat actors may be intent on using legitimate inbox access to gather financial data and conduct business email compromise attacks. In May 2022, the FBI warned that business email compromise through account compromise or impersonation is a growing threat. Between June 2016 and December 2021, businesses around the world lost his $43 billion to the scam, according to the FBI.

OAuth is a standard that uses a third-party authorization server, such as Microsoft, as an intermediary between users and providers of online resources such as websites that require logons. The system was born as a way to minimize the number of apps that require dedicated credentials, alleviating the burden on users to remember yet another password and the burden on app providers to protect users’ passwords. I was.

Malicious OAuth applications are a constant threat, as their security depends on the trustworthiness of authorization servers.

Instead of logon credentials, OAuth provides credentials that websites use as equivalent to valid passwords. The system also provides a “refresh” token so the user can maintain access without going through the authentication process again. Campaign refresh tokens published by Proofpoint were set to last for one year.

Microsoft’s issuer verification mechanism is intended to ensure that OAuth apps come from legitimate sources, but this guarantee is not always honored. The computing giant says it has “implemented several additional security measures” to improve its vetting process.

Proofpoint reported the attack to Microsoft on December 20th, and the campaign ended on December 27th.