On Tuesday, Microsoft announced that it has taken action to disable phoney Microsoft Partner Network (MPN) accounts that had been used to build harmful OAuth applications as part of a phishing campaign intended to infiltrate cloud environments of enterprises and steal email.
The IT company claimed that the fraudulent actors “built applications that were subsequently deployed in a consent phishing campaign, which duped users into authorising access to the phoney apps.” “This phishing campaign primarily targeted clients in the United Kingdom and Ireland.”
Consent phishing is a type of social engineering assault in which users are persuaded to provide permission to malicious cloud applications, which can subsequently be used as a weapon to access secure user data and legitimate cloud
dditionally, Microsoft stated that it added more security measures to strengthen the verification process connected with the Microsoft Cloud Partner Program (formerly MPN) and lessen the likelihood of fraudulent activity going forward.
The publication is timed to coincide with a Proofpoint paper outlining how threat actors were able to successfully compromise corporate cloud infrastructures by taking advantage of Microsoft’s status as a “certified publisher.”
The campaign is remarkable because it was effective in deceiving Microsoft in order to obtain the blue validated badge by imitating well-known companies.
The rogue OAuth apps, according to Proofpoint, had “far-reaching delegated permissions” that included reading emails, changing mailbox settings, and accessing files and other data linked to the user’s account.
It also noted that, in contrast to a prior campaign that compromised already-verified Microsoft publishers to exploit OAuth app capabilities, the most recent attacks are made to impersonate trustworthy publishers in order to obtain verified and spread the malicious applications.
Three of the aforementioned apps were named “Single Sign-on (SSO),” with the third programme attempting to pass as video conferencing software by using the term “Meeting.”
The same companies were targeted by all three apps, which were made by three separate publishers and used the same infrastructure under the control of the attacker.
Organizations may be affected by hacked user accounts, data exfiltration, brand infringement by impostor companies, business email compromise (BEC) fraud, and mailbox abuse, according to the enterprise security provider.
On December 27, 2022, a week after Proofpoint notified Microsoft of the attack on December 20 and the apps were blocked, the campaign is reported to have come to an end.
The findings show the level of sophistication used to carry out the assault, as well as how Microsoft’s security measures were circumvented and how users’ faith in enterprise vendors and service providers was abused.
False OAuth apps have already been used to attack Microsoft’s cloud services. Proofpoint described an additional threat activity known as OiVaVoii in January 2022 that targeted senior executives in an effort to gain power.
Then, in September 2022, Microsoft disclosed that it had stopped an assault that used rogue OAuth applications installed on infected cloud tenants to eventually take over Exchange servers and send spam.