Hackers Abuse Microsoft’s ‘Verified Publisher’ OAuth Apps to Hack Organizations Cloud

Multiple fraudulent Microsoft Partner Network accounts were discovered to have created harmful OAuth applications, causing breaches in organizations’ cloud environments and leading to the theft of emails. As a result, Microsoft has taken action and disabled these verified accounts.

Microsoft and Proofpoint announced a joint statement revealing that some malicious actors had managed to impersonate legitimate companies and gain verification as those companies in the MCPP.

Cybercriminals utilized these accounts to establish legitimate OAuth applications in Azure Active Directory, with the aim of tricking corporate employees in the UK and Ireland through consent phishing attacks.

Technical Analysis

The malicious OAuth applications had malicious intent, they were specifically designed to steal sensitive information from unsuspecting customers. In this case, the target was the customers’ email addresses. 

These email addresses were likely collected and used for phishing or spamming purposes, or could even be sold on the dark web to other malicious actors.

The app’s excessive permissions might have opened up the possibility for unauthorized access to calendars, meeting information, and modifications to user permissions.

Cybercriminals often exploit this information for the following illicit activities:-

  • Cyberespionage
  • BEC attacks
  • Gain deeper access to internal networks

On December 15, 2022, Proofpoint brought to light a malicious campaign, prompting Microsoft to swiftly shut down all the deceptive accounts and OAuth applications involved.

Following the discovery, the company promptly notified impacted customers through email, stating that the malicious actors leveraged the compromised consent to steal data from email accounts.

Microsoft detected that to enhance credibility, malicious actors have utilized several tactics to deceive individuals by pretending to be reputable organizations.

The presence of malicious apps registered by the threat actors with “publisher verified” status implies that through the MPN process, they successfully passed the authentication.

Proofpoint was informed by Microsoft that altering the publisher name linked to their MPN account necessitates going through the re-verification process.

Having obtained a verified publisher ID, malicious actors incorporated links in each application that direct to the site of the organization being impersonated, under the guise of “terms of service” and “policy statement”.

Impersonation of Popular Apps

Cybercriminals, posing as legitimate verified publishers, are exploiting the popularity of apps like Single-Sign-On (SSO) to deceive victims by utilizing:- 

  • Duplicated app icons
  • Duplicated app names
  • Reply-to URLs

The application consent screen is connected to personalized “.html” and “.htm” files which are used to spread the request for authorization.

A blue check in the Azure Active Directory (Azure AD) consent prompt serves as an indicator of trustworthiness for OAuth applications created by a verified partner.

Of the three applications, two were labeled “Single Sign On (SSO)” and the third was referred to as “Meeting.” All three requested access to the following permissions:-

  • User.Read
  • email
  • offline_access
  • profile
  • openid
  • Mail.Read
  • MailboxSettings.Read
  • Calendars.read
  • Onlinemeetings.read
  • Mail.send

Sadly, multiple organizations have suffered from attacks, with Proofpoint discovering evidence of affected users. The malicious campaign took place between December 6, 2022 and December 27, 2022, when it was finally brought to a halt by Microsoft. 

During this period, the attackers used various malicious applications to carry out their attacks, but Microsoft was able to detect and disable all of them, effectively stopping the campaign. 

The use of fake OAuth applications to target Microsoft’s cloud services is not a new phenomenon. In fact, this has been a recurring issue, with malicious actors frequently exploiting the trust associated with these apps to gain access to sensitive information and carry out their attacks. 

This highlights the importance of being cautious when granting access to third-party apps and verifying their authenticity, as well as the need for Microsoft to continually improve its security measures to protect its users and prevent these types of attacks from happening.

Network Security Checklist – Download Free E-Book

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting the growing, widespread use and potential…

3 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers, successful evaluations, and partnerships such…

4 hours ago

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and education. The latest update, Wireshark 4.2.4,…

6 hours ago

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered platform designed to redefine how we…

6 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information and grant unauthorized access. It's an…

7 hours ago

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the…

11 hours ago