Hackers abuse Microsoft’s “Verified Publisher” OAuth apps
Several fraudulent Microsoft Partner Network accounts were discovered to have created malicious OAuth applications, causing breaches in organizations’ cloud environments and leading to email theft. As a result, Microsoft has taken action and disabled these verified accounts.
Microsoft and Proofpoint released a joint statement revealing that some malicious actors had managed to impersonate legitimate companies and get verified as those companies in MCPP.
Cybercriminals used these accounts to establish legitimate OAuth applications in Azure Active Directory, with the aim of deceiving corporate employees in the UK and Ireland through consent phishing attacks.
The malicious OAuth applications had malicious intent, they were specifically designed to steal sensitive information from unsuspecting customers. In this case, the target was customers’ email addresses.
These email addresses were likely collected and used for phishing or spamming, or may even be sold on the dark web to other malicious actors.
The app’s excessive permissions may have opened up the possibility of unauthorized access to calendars, meeting information, and changes to user permissions.
Cybercriminals often exploit this information for the following illegal activities:
- Cyber espionage
- BEC attack
- Gain deeper access to internal networks
On December 15, 2022, Proofpoint revealed a malicious campaign, prompting Microsoft to quickly shut down all fraudulent accounts and OAuth applications involved.
After the discovery, the company immediately notified affected customers via email, saying that the malicious actors were exploiting the compromised consent to steal data from email accounts.
Microsoft discovered that in order to increase credibility, malicious actors have used several tactics to deceive individuals by pretending to be reputable organizations.
The presence of malicious apps registered by the threat actors with a status of “publisher verified” suggests that they have passed authentication through the MPN process.
Proofpoint was informed by Microsoft that changing the publisher name associated with their MPN account necessitates the re-verification process.
Emulation of popular apps
Cybercriminals, posing as legitimate verified publishers, are leveraging the popularity of apps like Single-Sign-On (SSO) to trick victims using:-
- Duplicate app icons
- Duplicate app names
- Reply-to URLs
The app’s consent screen is linked to personalized “.html” and “.htm” files that are used to propagate the request for authorization.
A blue check in the Azure Active Directory (Azure AD) consent message acts as an indicator of trust for OAuth applications created by a verified partner.
Of the three applications, two were labeled “Single Sign On (SSO)” and the third was referred to as “Meeting”. All three requested access to the following permissions:
- open hours
- Mailbox settings. Read
Unfortunately, several organizations have suffered from attacks, and Proofpoint discovered evidence of affected users. The malicious campaign took place between December 6, 2022 and December 27, 2022, when it was finally stopped by Microsoft.
During this period, the attackers used various malicious applications to carry out their attacks, but Microsoft was able to detect and disable all of them, effectively stopping the campaign.
The use of fake OAuth applications to target Microsoft cloud services is not a new phenomenon. In fact, this has been a recurring problem, with malicious actors often exploiting the trust associated with these apps to gain access to sensitive information and carry out their attacks.
This highlights the importance of being careful when providing access to third-party apps and verifying their authenticity, as well as the need for Microsoft to continually improve its security measures to protect users and prevent these types of attacks from occurring.
Network Security Checklist – Download Free eBook