Microsoft warns that financially motivated attackers are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining.
OAuth (short for Open Authorization) is an open method for granting apps securely delegated access to server resources based on user-defined permissions through token-based authentication and authorization without providing credentials. It’s standard.
Recent incidents investigated by Microsoft Threat Intelligence experts show that attackers are using phishing and password spraying attacks to focus primarily on user accounts that have privileges to create or modify OAuth apps, and to use robust authentication mechanisms (multi-factor authentication). It has become clear that it targets user accounts that lack authentication (e.g. authentication).
A new OAuth application is then created using the hijacked account and granted elevated privileges. This ensures continued access even if the original account is lost, while ensuring malicious activity remains hidden.
These highly privileged OAuth apps can deploy virtual machines dedicated to cryptocurrency mining, protect continued access during business email compromise (BEC) attacks, and launch spam campaigns that exploit compromised organizations’ domain names. It is used for a wide range of illegal activities.
One notable example involves the threat actor tracked as Storm-1283, which created an OAuth app that deployed cryptocurrency mining virtual machines. The financial impact on targeted organizations ranged from $10,000 to $1.5 million, depending on the duration of the attack.
Another attacker exploited an OAuth app created using a compromised account to maintain persistence and launch a phishing campaign using a man-in-the-middle (AiTM) phishing kit.
The same perpetrators used Microsoft Outlook Web Application (OWA) to search for attachments linked to “Payments” and “Invoices,” which led to Business Email Compromise (BEC) reconnaissance of compromised accounts. I used
In another instance, the attacker created a multi-tenant OAuth app for persistence, added new credentials, and read emails and sent phishing emails via the Microsoft Graph API.
“At the time of our analysis, we observed that the attackers had created approximately 17,000 multi-tenant OAuth applications across various tenants using multiple compromised user accounts,” Microsoft said.
“Based on email telemetry, we observed that a malicious OAuth application created by an attacker sent over 927,000 phishing emails. We have removed all malicious OAuth applications found related to.
A third actor, tracked as Storm-1286, hacked into user accounts not protected by multi-factor authentication (MFA) through a series of password dissemination attacks.
The compromised account is then used to create a new OAuth app within the targeted organization, which allows the attacker to send thousands of spam emails daily, sometimes months after the initial compromise. It is now possible.
To protect yourself from malicious actors abusing OAuth apps, Microsoft recommends using MFA to thwart credential stuffing and phishing attacks.
Security teams have conditional access policies that block attacks using stolen credentials, continuous access assessments that automatically revoke user access based on risk triggers, and MFA enabled to protect privileged activities. You must also ensure that Azure Active Directory security defaults are enabled.