Tuesday, May 28, 2024

Hackers Abuse Microsoft’s ‘Verified Publisher’ OAuth Apps to Hack Organizations Cloud

Multiple fraudulent Microsoft Partner Network accounts were discovered to have created harmful OAuth applications, causing breaches in organizations’ cloud environments and leading to the theft of emails. As a result, Microsoft has taken action and disabled these verified accounts.

Microsoft and Proofpoint announced a joint statement revealing that some malicious actors had managed to impersonate legitimate companies and gain verification as those companies in the MCPP.

Cybercriminals utilized these accounts to establish legitimate OAuth applications in Azure Active Directory, with the aim of tricking corporate employees in the UK and Ireland through consent phishing attacks.

Technical Analysis

The malicious OAuth applications had malicious intent, they were specifically designed to steal sensitive information from unsuspecting customers. In this case, the target was the customers’ email addresses. 

These email addresses were likely collected and used for phishing or spamming purposes, or could even be sold on the dark web to other malicious actors.

The app’s excessive permissions might have opened up the possibility for unauthorized access to calendars, meeting information, and modifications to user permissions.

Cybercriminals often exploit this information for the following illicit activities:-

  • Cyberespionage
  • BEC attacks
  • Gain deeper access to internal networks

On December 15, 2022, Proofpoint brought to light a malicious campaign, prompting Microsoft to swiftly shut down all the deceptive accounts and OAuth applications involved.

Following the discovery, the company promptly notified impacted customers through email, stating that the malicious actors leveraged the compromised consent to steal data from email accounts.

Microsoft detected that to enhance credibility, malicious actors have utilized several tactics to deceive individuals by pretending to be reputable organizations.

The presence of malicious apps registered by the threat actors with “publisher verified” status implies that through the MPN process, they successfully passed the authentication.

Proofpoint was informed by Microsoft that altering the publisher name linked to their MPN account necessitates going through the re-verification process.

Having obtained a verified publisher ID, malicious actors incorporated links in each application that direct to the site of the organization being impersonated, under the guise of “terms of service” and “policy statement”.

Impersonation of Popular Apps

Cybercriminals, posing as legitimate verified publishers, are exploiting the popularity of apps like Single-Sign-On (SSO) to deceive victims by utilizing:- 

  • Duplicated app icons
  • Duplicated app names
  • Reply-to URLs

The application consent screen is connected to personalized “.html” and “.htm” files which are used to spread the request for authorization.

A blue check in the Azure Active Directory (Azure AD) consent prompt serves as an indicator of trustworthiness for OAuth applications created by a verified partner.

Of the three applications, two were labeled “Single Sign On (SSO)” and the third was referred to as “Meeting.” All three requested access to the following permissions:-

  • User.Read
  • email
  • offline_access
  • profile
  • openid
  • Mail.Read
  • MailboxSettings.Read
  • Calendars.read
  • Onlinemeetings.read
  • Mail.send

Sadly, multiple organizations have suffered from attacks, with Proofpoint discovering evidence of affected users. The malicious campaign took place between December 6, 2022 and December 27, 2022, when it was finally brought to a halt by Microsoft. 

During this period, the attackers used various malicious applications to carry out their attacks, but Microsoft was able to detect and disable all of them, effectively stopping the campaign. 

The use of fake OAuth applications to target Microsoft’s cloud services is not a new phenomenon. In fact, this has been a recurring issue, with malicious actors frequently exploiting the trust associated with these apps to gain access to sensitive information and carry out their attacks. 

This highlights the importance of being cautious when granting access to third-party apps and verifying their authenticity, as well as the need for Microsoft to continually improve its security measures to protect its users and prevent these types of attacks from happening.

Network Security Checklist – Download Free E-Book


Latest articles

Researchers Exploited Nexus Repository Using Directory Traversal Vulnerability

Hackers target and exploit GitHub repositories for a multitude of reasons and illicit purposes.The...

DDNS Service In Fortinet Or QNAP Embedded Devices Exposes Sensitive Data, Researchers Warn

Hackers employ DNS for various purposes like redirecting traffic to enable man-in-the-middle attacks, infecting...

PoC Exploit Released For macOS Privilege Escalation Vulnerability

A new vulnerability has been discovered in macOS Sonoma that is associated with privilege...

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS)...

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to...

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles