Microsoft has shut down a cyber criminal campaign attacking business' cloud environments by abusing a verification mechanism in the Microsoft Cloud Partner Programme (MCPP).
The cyber criminals' efforts, which involved exploiting third-party OAuth apps, were spotted in December 2022 and quickly stopped by Microsoft to prevent data theft.
Security firm Proofpoint uncovered the "malicious campaign" in which hackers created fraudulent OAuth apps that were able to satisfy Microsoft's verification requirements for authorised publishers.
As part of the campaign, threat actors used consent phishing' techniques to manipulate organisations into granting access to the malicious OAuth app and subsequently gain access to data including emails, company files, mailbox settings, and assorted datasets.
“We observed that the malicious apps had far-reaching delegated permissions such as reading emails, adjusting mailbox settings, and gaining access to files and other data linked to the user’s account,” researchers said.
“The potential impact to organisations includes compromised user accounts, data exfiltration, brand abuse of impersonated organisations, business email compromise (BEC) fraud, and mailbox abuse.”
OAuth abuse unpacked
OAuth is an open authentication and authorisation standard used by Microsoft and a host of major tech companies such as Facebook and Google.
OAuth enables users to share account information with third-party applications, acting as an “intermediary” between the user and the service, to provide an access token that authorises the sharing of specific account information.
In this instance, Proofpoint said threat actors deliberately abused Microsoft’s verified publisher status to leverage malicious OAuth applications and target potential victims.
Microsoft provides app publishers with this status after verifying their identity via the Microsoft Cloud Partner Programme. This means that users impacted by this attack method likely interacted with malicious apps due to a belief that they were authorising legitimate third-party applications.
“As users, we naturally trust verified accounts more,” Proofpoint said. “It is the same in the enterprise world with third-party OAuth app publishers verified by Microsoft. Unfortunately, threat actors have recognised the value of the verified status in the Microsoft environment.”
Proofpoint highlighted that this attack method was also “less likely” to be detected by organisations compared to traditional targeted phishing or brute force attacks.
The Forrester Wave™: Robotic Process Automation Services
The 15 providers that matter most and how they stack up
“Organisations typically have weaker defence-in-depth controls against threat actors using verified OAuth apps,” researchers added.
OAuth protocols have been abused in the past, research shows. A 2021 study by Proofpoint uncovered similar techniques by threat actors and found that more than 180 malicious applications had been actively exploited.
In September last year, malicious OAuth apps were used in a campaign to compromise Microsoft customer cloud environments and Exchange Online settings.
Thousands of GitHub users were also targeted using malicious OAuth apps which enabled hackers to exfiltrate business-critical data.
Fix issued by Microsoft
After Microsoft was informed of the Proofpoint research, the company said it disabled malicious applications and has coordinated with affected customers to remedy the situation.
The firm has also implemented “several additional security” measures to improve MCPP vetting procedures to mitigate the risk of similar behaviour in the future.
In a statement detailing the attack, the tech giant confirmed that threat actors had successfully impersonated legitimate providers to enrol in the Cloud Partner Programme.
“The actors used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD,” the company said.
“The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps.”
UK organisations affected
Microsoft revealed that this phishing campaign targeted a “subset of customers” primarily based in the UK and Ireland.
Proofpoint's research found that threat actors targeted “mainly UK-based organisations and users”, which Microsoft confirmed in its statement.
Targeted users included senior financial and marketing personnel, Proofpoint found, as well as “high-profile users such as managers and executives”.
